Skip to content

Instantly share code, notes, and snippets.

@seldo

seldo/typosquatting.md

Created June 25, 2016 01:16
Show Gist options
  • Save seldo/e8597da63e474fe2fca40c448ff39ba2 to your computer and use it in GitHub Desktop.
Save seldo/e8597da63e474fe2fca40c448ff39ba2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
typosquatting.md

We've had a lot of interest in this thesis. We were a little less defensive this time given that the author made clear that several major package managers are vulnerable in the same way.

We delete typo-squatting when it is brought to our attention. Usually this happens when somebody else wants to use the name, in which case our support team will transfer the empty package to them. Sometimes people will notice a single user squatting a large number of names, and then we'll delete them, but the registry is too big and our support team too small to do this all the time. We do not automate removal of squatting because it's too easy to game: whatever you decide is the rule to be a "real" package, somebody will create a package that meets that and use it to squat on things.

As for the security risk, it is pretty small. The ~600 installs he counted over several days from npm represent just 0.02% of the number of installation sessions npm records in a single day, and he did not account for the fact that npm has thousands of private mirrors around the world, so any published package is downloaded several hundred times by robots who automatically download every package. The number of real humans involved, if any, is probably very small.

Like most package managers, most npm package installations are not the result of a human typing in a name: usually the packages come as part of a manifest, such as npm's package.json, so the majority of package requests have no chance of a typo. The relatively small proportion of manual installations is then further filtered at several steps:

  • the user has to type the package name again in the code to require() the package
  • the user will usually run/test the code and notice any malicious behavior
  • to spread malicious code, the user would then need to publish their own package containing the code

The drop off between all these stages is such that this is so rare an event as to be not worth an attacker's time, even at our current scale. We always keep an eye on these things, and we appreciate his efforts in doing this research, but right now it doesn't worry us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment