Defending Against Package Typosquatting

• Published in: Network and System Security Vol. 12570; pp. 112 - 131
• Main Authors: Taylor, Matthew, Vaidya, Ruturaj, Davidson, Drew, De Carli, Lorenzo, Rastogi, Vaibhav
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 2020; Springer International Publishing
• Series: Lecture Notes in Computer Science
• ISBN: 9783030657444; 3030657442
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-030-65745-1_7

Software repositories based on a single programming language are common. Examples include npm (JavaScript) and PyPI (Python). They encourage code reuse, making it trivial for developers to import external packages. Unfortunately, the ease with which packages can be published also facilitates typosquatting: uploading a package with name similar to that of a highly popular package, with the aim of capturing some of the popular package’s installs. Typosquatting frequently occurs in the wild, is difficult to detect manually, and has resulted in developers importing incorrect and sometimes malicious packages. We present TypoGard, a tool for identifying and reporting potentially typosquatted imports to developers. TypoGard implements a novel detection technique, based on the analysis of npm and PyPI. It leverages a model of lexical similarity between names, and incorporates the notion of package popularity. It flags cases where unknown/scarcely used packages would be installed in place of popular ones with similar names, before installation occurs. We evaluated TypoGard on both npm, PyPI and RubyGems, with encouraging results: TypoGard flags up to 99.4% of known typosquatting cases while generating limited warnings (up to 0.5% of package installs), and low overhead (2.5% of package install time).