Security risks with Typosquatting
Posted in security on October 1, 2022 by Sodim Admin ‐ 2 min read
What is typosquatting
Typosquatting refers to a social engineering attack which targets users who mistype a package name when trying to install a package.
Lets say you wanted to install a package named requests , for installing the correct package the pip command would be
pip install requests
Now, in the case of typosquatting the user instead of the actual command types in some misspelled package name, which could be as simple as a single character spelling mistake or just a missing sat the end of the package name.
So lets assume the user mistakenly types in,
pip install request
If you look carefully, you would see this command has a missing s at the end of the package name, i.e. instead of requests user typed request now this looks like a simple typo mistake, but here is where the attack kicks in.
In typosquatting , the attacker creates a malware and uploads to the pypi repository with variety of names similar to the name of famous packages. With so many different permutations of names of an already existing trusted package name, a single typo mistake by any developer will lead to a malware getting installed in the system, which then could access your environment variables and send it back to the attacker. Sometimes some executable could also be run, and possiblities are endless as to what the attacker can do.
Attack on requests
A famous example of such an attack was on requests, below is a list of packages name attacker had created,
These misspelled packages had more than 20k downloads.
Mitigation
Although by being aware of such attacks devs can generally avoid such issues, or as some devs do, just copy paste from the original doc’s installation page. But what about the packages that you have already installed?
We can help!
How SODIM helps?
We at SODIM, are trying to simplify third party packages security; one problem at a time. Using SODIM, you upload your requirements.txt file and we generate a report which gives you all the necessary information about the packages and their dependencies, even nested dependencies with a clear picture of how secure they are and if there is any vulnerabilities reported publicly for them, along with many other useful information. Checkout https://sodim.dev ! You get 10 free credits for trying it out.
