Abstract
Software repositories based on a single programming language are common. Examples include npm (JavaScript) and PyPI (Python). They encourage code reuse, making it trivial for developers to import external packages. Unfortunately, the ease with which packages can be published also facilitates typosquatting: uploading a package with name similar to that of a highly popular package, with the aim of capturing some of the popular package’s installs. Typosquatting frequently occurs in the wild, is difficult to detect manually, and has resulted in developers importing incorrect and sometimes malicious packages.
We present TypoGard, a tool for identifying and reporting potentially typosquatted imports to developers. TypoGard implements a novel detection technique, based on the analysis of npm and PyPI. It leverages a model of lexical similarity between names, and incorporates the notion of package popularity. It flags cases where unknown/scarcely used packages would be installed in place of popular ones with similar names, before installation occurs. We evaluated TypoGard on both npm, PyPI and RubyGems, with encouraging results: TypoGard flags up to 99.4% of known typosquatting cases while generating limited warnings (up to 0.5% of package installs), and low overhead (2.5% of package install time).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Senate Report 106–140-THE ANTICYBERSQUATTING CONSUMER PROTECTION ACT, August 1999. https://www.govinfo.gov/content/pkg/CRPT-106srpt140/html/CRPT-106srpt140.html
Athalye, A., Hristov, R., Nguyen, T., Nguyen, Q.: Package Manager Security. Technical Report. https://pdfs.semanticscholar.org/d398/d240e916079e418b77ebb4b3730d7e959b15.pdf
Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: Proceedings of the 6th ACM Conference on Computer and Communications Security-CCS 1999, pp. 1–7. ACM Press (1999)
Baldwin, A.: Malicious package report: destroyer-of-worlds-snyk.io, May 2019. https://snyk.io/vuln/SNYK-JS-DESTROYEROFWORLDS-174777
Bengtson, W.: Defensive typosquatting packages created by PyPI user wbengtson, January 2018. https://pypi.org/user/wbengtson/
Bommarito, E., Bommarito, M.: An empirical analysis of the python package index (PyPI). arXiv preprint arXiv:1907.11073 (2019)
Bullock, M.: Python module: PyPI-parker, October 2017. https://pypi.org/project/pypi-parker/
Böhme, R., Grossklags, J.: The security cost of cheap user interaction. In: Proceedings of the 2011 Workshop on New Security Paradigms Workshop-NSPW 2011. ACM Press (2011)
Cadariu, M., Bouwers, E., Visser, J., van Deursen, A.: Tracking known security vulnerabilities in proprietary software systems. In: SANER (2015)
Cappos, J., Samuel, J., Baker, S., Hartman, J.H.: A look in the mirror: attacks on package managers. In: CCS (2008)
Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: Mast: Triage for market-scale mobile malware analysis. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2013, New York, NY, USA, pp. 13–24. ACM (2013). https://doi.org/10.1145/2462096.2462100, http://doi.acm.org/10.1145/2462096.2462100
Chatterjee, R., et al.: The spyware used in intimate partner violence. In: IEEE Symposium on Security and Privacy, pp. 441–458. IEEE Computer Society (2018)
Cimpanu, C.: Twelve malicious python libraries found and removed from PyPI, October 2018. https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/
Claburn, T.: This typosquatting attack on npm went undetected for 2 weeks, August 2017. https://www.theregister.co.uk/2017/08/02/typosquatting_npm/
Crussell, J., Gibler, C., Chen, H.: Andarwin: scalable detection of android application clones based on semantics. IEEE Trans. Mob. Comput. 14(10), 2007–2019 (2015)
Denvraver, H.: Malicious packages found to be typo-squatting in python package index, December 2019. https://snyk.io/blog/malicious-packages-found-to-be-typo-squatting-in-pypi/
Duan, R.: Malicious package report: device-mqtt - snyk.io, August 2019. https://snyk.io/vuln/SNYK-JS-DEVICEMQTT-458732
Fass, A., Backes, M., Stock, B.: HideNoSeek: camouflaging malicious JavaScript in Benign ASTs. In: CCS. ACM Press (2019)
German, D.M., Adams, B., Hassan, A.E.: The evolution of the r software ecosystem. In: CSMR (2013)
Gonzalez, H., Stakhanova, N., Ghorbani, A.A.: DroidKin: lightweight detection of android apps similarity. In: Tian, J., Jing, J., Srivatsa, M. (eds.) SecureComm 2014. LNICST, vol. 152, pp. 436–453. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23829-6_30
Hejderup, J.. In Dependencies We Trust: How vulnerable are dependencies in software modules? Master’s thesis, Delft University of Technology, May 2015
Hu, Y., et al.: Mobile app squatting. In: Proceedings of the Web Conference, vol. 2020, pp. 1727–1738 (2020)
Kula, R.G., Roover, C.D., German, D., Ishio, T., Inoue, K.: Visualizing the evolution of systems and their library dependencies. In: IEEE VISSOFT (2014)
Lakshmanan, R.: Over 700 malicious typosquatted libraries found on rubygems repository, May 2020. https://thehackernews.com/2020/04/rubygem-typosquatting-malware.html
npm Maintainers: The npm blog - numeric precision matters: how npm download counts work, Jul y2014. https://blog.npmjs.org/post/92574016600/numeric-precision-matters-how-npm-download-counts
npm Maintainers: npm-scope|npm documentation, August 2015. https://docs.npmjs.com/using-npm/scope.html
npm Maintainers: New package moniker rules, December 2017. https://blog.npmjs.org/post/168978377570/new-package-moniker-rules
npm Maintainers: The npm blog-‘crossenv’ malware on the npm registry, August 2017. https://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
Pfretzschner, B., ben Othmane, L.: Identification of dependency-based attacks on node.js. In: ARES (2017)
Plate, H., Ponta, S.E., Sabetta, A.: Impact assessment for vulnerabilities in open-source software libraries. In: ICSME (2015)
Raemaekers, S., van Deursen, A., Visser, J.: The maven repository dataset of metrics, changes, and dependencies. In: MSR (2013)
Security, C.: Contrast labs: Software libraries represent just seven percent of application vulnerabilities, July 2017. https://www.prnewswire.com/news-releases/contrast-labs-software-libraries-represent-just-seven-percent-of-applicationvulnerabilities-300492907.html
npm Security Team: Malicious package report: browserift - snyk.io, July 2019. https://snyk.io/vuln/SNYK-JS-BROWSERIFT-455282
npm Security Team: Malicious package report: comander - snyk.io, October 2019. https://snyk.io/vuln/SNYK-JS-COMANDER-471676
npm Security Team: npm security advisory: babel-laoder, November 2019. https://www.npmjs.com/advisories/1348
npm Security Team: npm security advisory: sj-tw-sec, November 2019. https://www.npmjs.com/advisories/1309
npm Security Team: npm security advisories, May 2020. https://www.npmjs.com/advisories
Spaulding, J., Upadhyaya, S., Mohaisen, A.: The landscape of domain name Typosquatting: techniques and countermeasures. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 284–289, August 2016
Stufft, D.: Pep 503-simple repository API, September 2015. https://www.python.org/dev/peps/pep-0503/#normalized-names
Szurdi, J., Christin, N.: Email typosquatting. In: Proceedings of the 2017 Internet Measurement Conference, London, United Kingdom, pp. 419–431. IMC’2017, Association for Computing Machinery, November 2017
Team, S.S.: Prototype pollution in lodash|snyk, July 2019. https://snyk.io/vuln/SNYK-JS-LODASH-450202
Team, S.S.: Vulnerability db, May 2020. https://snyk.io/vuln
Tellnes, J.: Dependencies: No Software is an Island. Master’s thesis, The University of Bergen, October 2013
Tschacher, N.P.: Typosquatting in Programming Language Package Managers. University of Hamburg, Hamburg (Bachelor), March 2016
Viennot, N., Garcia, E., Nieh, J.: A measurement study of google play. In: ACM SIGMETRICS Performance Evaluation Review, vol. 42, pp. 221–233. ACM (2014)
Wermke, D., Huaman, N., Acar, Y., Reaves, B., Traynor, P., Fahl, S.: A large scale investigation of obfuscation use in google play. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, December 03–07, 2018, pp. 222–235. ACM (2018). https://doi.org/10.1145/3274694.3274726
Wittern, E., Suter, P., Rajagopalan, S.: A look at the dynamics of the javascript package ecosystem. In: MSR (2016)
Younis, A.A., Malaiya, Y.K., Ray, I.: Using attack surface entry points and reachability analysis to assess the risk of software vulnerability exploitability. In: HASE (2014)
Zimmermann, M., Staicu, C.A., Pradel, M.: Small world with high risks: a study of security threats in the npm ecosystem. In: USENIX, p. 17 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Taylor, M., Vaidya, R., Davidson, D., De Carli, L., Rastogi, V. (2020). Defending Against Package Typosquatting. In: Kutyłowski, M., Zhang, J., Chen, C. (eds) Network and System Security. NSS 2020. Lecture Notes in Computer Science(), vol 12570. Springer, Cham. https://doi.org/10.1007/978-3-030-65745-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-65745-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65744-4
Online ISBN: 978-3-030-65745-1
eBook Packages: Computer ScienceComputer Science (R0)