Typosquatting

What is Typosquatting?

Typosquatting in the software context is a social engineering attack that targets developers and build systems by publishing malicious packages with names that are visually similar to legitimate, popular libraries or dependencies. The attacker creates packages that exploit common typing mistakes, alternative spellings, or visually similar characters, hoping that developers or automated build processes will accidentally install the malicious package instead of the intended legitimate one.

This attack vector has become increasingly common in open source ecosystems, where developers regularly import third-party packages from public repositories like npm, PyPI, RubyGems, and Maven Central.

Common Typosquatting Techniques

Character Omission

Removing a character from the original name:

• Original: express
• Typosquat: expess

Character Duplication

Repeating a character from the original name:

• Original: requests
• Typosquat: reqquests

Character Replacement

Substituting a character with another similar one:

• Original: lodash
• Typosquat: 1odash (using the number "1" instead of the letter "l")

Character Transposition

Swapping adjacent characters:

• Original: django
• Typosquat: dajngo

Character Insertion

Adding an extra character:

• Original: react
• Typosquat: reactt

Hyphenation Changes

Modifying hyphens or underscores:

• Original: json-parser
• Typosquat: jsonparser or json_parser

Visual Homoglyphs

Using characters that look identical or very similar:

• Original: google
• Typosquat: goog1e (using number "1" instead of letter "l")

Alternative TLDs (in URLs/domains)

Using a different top-level domain:

• Original: example.com
• Typosquat: example.org or example.co

Typosquatting in Package Ecosystems

Different programming language ecosystems have witnessed various typosquatting attacks:

JavaScript (npm)

The npm registry is particularly vulnerable due to its size (over 1.3 million packages) and the common practice of using many small dependencies:

• crossenv (posing as the legitimate cross-env)
• loadyaml (similar to popular YAML processing libraries)
• socket.io vs socket-io

Python (PyPI)

Python's package repository has seen sophisticated attacks:

• python3-dateutil (mimicking the legitimate python-dateutil)
• djanga (similar to the popular framework django)
• urllib vs urlib

Ruby (RubyGems)

Ruby's gems have also been targeted:

• rspec vs rsspec
• rails vs ra1ls

Java (Maven)

Maven repositories have seen fewer attacks, but remain vulnerable:

• Typosquatting on group IDs (e.g., org.apache.commons vs org.apachee.commons)
• Similar artifact IDs

Malicious Activities in Typosquatting Packages

Once installed, typosquatting packages typically perform various malicious activities:

Data Exfiltration

• Environment Variables: Stealing API keys, tokens, or secrets
• SSH Keys: Exporting private SSH keys
• Configuration Files: Accessing service credentials
• Personal Data: Harvesting user information

System Compromise

• Backdoor Installation: Creating persistent access
• Malware Deployment: Installing additional malicious software
• Botnet Participation: Adding the machine to a controlled network
• Cryptominers: Using system resources to mine cryptocurrency

Supply Chain Poisoning

• Dependency Hijacking: Modifying downstream dependencies
• Build Process Corruption: Tampering with compiled artifacts
• Runtime Modifications: Changing application behavior after deployment

Real-World Typosquatting Incidents

The 2018 Event-Stream Incident

In 2018, a malicious actor gained control of a popular npm package called event-stream and added a dependency on a malicious package. This was a slightly different attack vector but demonstrated the impact of package repository attacks.

Python Typosquatting Campaign

In 2020, researchers discovered over 400 malicious Python packages that were typosquats of popular libraries, designed to steal SSH and GPG keys and exfiltrate them to remote servers.

UA-Parser-JS Attack

In 2021, the npm package ua-parser-js with over 7 million weekly downloads was compromised, and malicious versions were published that attempted to install cryptominers and password stealers.

Detecting Typosquatting Packages

Automated Detection Methods

• Levenshtein Distance: Measuring the edit distance between package names
• Character Frequency Analysis: Identifying unusual character substitutions
• Behavioral Analysis: Monitoring for suspicious package activities
• Anomaly Detection: Identifying unusual package publishing patterns

Manual Review Signals

• New Packages with Similar Names: Especially those with minimal version history
• Code Divergence: Significantly different code from the legitimate package
• Unnecessary Network Calls: Outbound connections not required for functionality
• Obfuscated Code: Deliberately obscured functionality
• Unusual Dependencies: Dependencies that don't match the package's purpose

Prevention Strategies

For Developers

• Copy-Paste Package Names: Instead of typing them manually
• Use Lockfiles: Lock dependencies to specific verified versions
• Check Package URLs: Verify you're on the correct package page before installation
• Inspect Download Counts: Be suspicious of low-download alternatives to popular packages
• Review Package Code: At least scan imported code for obvious issues

# Safe: copy-paste from official documentation
npm install express@4.17.1
 
# Safer: use a lockfile (package-lock.json, yarn.lock, etc.)
npm ci
 
# Risky: manual typing
npm install expres  # Potential typo!

For Organizations

• Private Repositories: Use private package mirrors with vetted dependencies
• Dependency Scanning: Implement automated scanning in CI/CD pipelines
• Allowlisting: Only permit pre-approved dependencies
• Supply Chain Monitoring: Continuously track changes in dependencies

// Example npm configuration using a private registry
{
  "registry": "https://private-registry.company.com/",
  "always-auth": true
}

For Package Registry Maintainers

• Reserved Names: Prevent registration of names similar to popular packages
• Malware Scanning: Scan package contents for malicious code
• Verified Publishers: Implement verification systems for package publishers
• Activity Monitoring: Track and flag suspicious package publishing patterns
• Namespace Protection: Allow organizations to claim their namespaces

Response to Typosquatting Incidents

If you discover you've inadvertently used a typosquatting package:

1. Immediate Containment

   • Remove the malicious package from your codebase
   • Rotate any exposed credentials or secrets
   • Scan systems for persistent threats

2. Investigation

   • Analyze the impact and extent of the compromise
   • Review logs for any suspicious activities
   • Determine what data might have been exposed

3. Reporting

   • Report the malicious package to the repository maintainers
   • Alert your security team and relevant stakeholders
   • Consider responsible disclosure to affected parties

4. Prevention Improvements

   • Implement stronger controls in your development workflow
   • Train developers on supply chain security awareness
   • Enhance monitoring for similar future attempts

Evolution of Typosquatting Attacks

Typosquatting attacks continue to evolve and become more sophisticated:

Targeted Attacks

Rather than broad attacks hoping to catch random victims, attackers are increasingly targeting specific organizations by analyzing their public repositories for dependencies.

Multi-stage Payloads

Modern attacks often use delayed or conditional payloads that only activate under certain conditions to avoid detection during initial scans.

Combined Attack Vectors

Typosquatting is increasingly combined with other techniques like dependency confusion or repository compromise for greater impact.

Legitimate Package Takeovers

Instead of creating new typosquatted packages, attackers may target abandoned legitimate packages with existing user bases.