sh4d0wup
« Back to VersTracker
Description:
Signing-key abuse and update exploitation framework
Type: Formula  |  Tracked Since: Dec 28, 2025
Links: Homepage  |  formulae.brew.sh
Category: Security
Tags: security pentesting supply-chain exploitation packaging
Install: brew install sh4d0wup
About:
Sh4d0wup is a comprehensive framework designed for testing and exploiting update mechanisms and signing key infrastructures. It enables security professionals to inject malicious payloads into signed package updates or create deceptive package repositories. The tool's primary value is in demonstrating how compromised signing keys or update servers can lead to widespread software supply chain compromises.
Key Features:
  • Supports multiple package formats including APK, DEB, RPM, and Pacman
  • Ability to sign packages with compromised or forged keys
  • Built-in HTTP server for hosting malicious package repositories
  • Payload injection into various update mechanisms
  • Supports various signature schemes and hash algorithms
Use Cases:
  • Red team exercises simulating supply chain attacks
  • Testing package manager security implementations
  • Security auditing of update infrastructure
  • Demonstrating impact of signing key compromises
Alternatives:
  • dpkg-sig – Only handles Debian packages with basic signing, lacks Sh4d0wup's multi-format support and exploitation framework
  • rpmsign – RPM-specific signing tool without repository simulation or cross-format capabilities
Version History
Detected Version Rev Change Commit
Sep 14, 2025 4:32am 0 VERSION_BUMP c9e93adc
Nov 13, 2024 3:20pm 0 VERSION_BUMP 8a0bc4ad
Sep 14, 2024 7:21pm 0 VERSION_BUMP 150c0f45
« Back to VersTracker  |  Browse Packages  |  About