I haven't really looked at alternative carvers (but I am aware that many great options exist). I didn't know unblob yet. Thanks for the suggestion!
Looking at the code, they use the same methodology as I describe in the post [0]. They do, however, also check for the end of the last segment, which is interesting.
I did a quick search to get a rough answer. Many maintainers/contributors try to obfuscate their email address against this type of parsing, which adds a margin of error.
I was able to find 249 expired domains (used in 626 packages) that are used in a maintainer or contributor email address. Some of these are obvious fakes (e.g. bigbrothergoogle.com), so I reckon the real number is somewhere around the 200 domains.
Of the packages that I checked (manually), many are already orphaned. Some contributors will be listed because they have contributed in the past, but do not have contribution permissions anymore. So how many of these domains will lead to an actual package takeover, will most likely be much lower.
Hybrid (Argon2id) is probably the safest bet if you are unsure.
The specific modes are useful dependent on the threat model you are protecting against. Argon2i protects better against timing/side-channel attacks and Argon2d protects better against brute-forcing attacks.
In my opinion, a developer should (in most cases) focus on application security instead of picking the perfect hashing algorithm, as application security is far more crucial.
> I'm not sure if bcrypt/blowfish is still the recommended algorithm or there's newer better ones
While bcrypt is already much, much better than using MD5 or SHA256, the best practice is to use Argon2.
In practice, it is more important to use a hashing algorithm that is designed for passwords (e.g. bcrypt, argon2, scrypt) than it is to choose the best one. As this breach shows, many sites are still using insecure hashes, like MD5, because it worked 15 years ago.
The (centralized) crypto lending space has been slowly imploding in the past year. Most companies give a promotional rate on the first coin(s), but will pay very little interest on any large amount.
I improved my post (and my carver) by including parsing the program headers as well.
Also, thanks for the suggestion of super-strip. An interesting tool that I will play around with.