How Socket Combats Insidious Typosquatting Supply Chain Attacks

Have you ever tried to type in a URL for a popular site but make a spelling error, landing yourself on a shady domain with rapid-fire (and frequently un-dismissable) popup messages urging you to download malware? This insidious sleight of hand, known as typosquatting, also exists in the world of package managers, often with far more costly consequences.

Typosquatting happens when attackers register malicious packages with names that are similar to legitimate popular packages, with the intention of corrupting supply chains when developers make mistakes in typing package names in scripts and automated tools. This can be particularly dangerous for software that underpins critical services like federal agencies, government, education, and emergency response capabilities. 

In 2016, Nikolai Philipp Tschacher published a bachelor thesis with research based on conducting a typosquatting attack simulation wherein he uploaded more than 200 typosquatted packages to PyPI, NPM, and RubyGems repositories. The goal was to estimate the risk of such attacks and Tschacher successfully demonstrated how effective this method is: 

The results of the attack showed that over 17 thousand distinct hosts installed those typo packages and executed their code. All these computers could have been infected with malware if malicious agents would have been the attackers instead. Around 50 percent of these confirmed installations were conducted with administrative rights, which increases the security impact considerably.

One of the most well-known package typosquatting attacks occurred in 2019 when the Python security team removed two trojanized Python libraries from PyPI that were stealing SSH and GPG keys from the projects of infected developers. The packages included “python3-dateutil,” created to be similar to the popular “dateutil” library, and “jeIlyfish” (where the first L was an I), appearing to be nearly identical to the “jellyfish” library.

This attack vector has grown considerably in the last few years in tandem with the package managers, as they became indispensable for streamlining dependencies in modern web development.

In 2020, ReversingLabs detected 760 malicious Ruby gems while monitoring their gem ingestion queue for typosquatted names. Sonatype’s 2021 software supply chain report found that supply chain attacks on open source software packages had increased by 650% and that typosquatting was the second most common technique used. In 2023, the company logged 245,032 malicious packages, which tripled from the previous year.

Combating Typosquatting with Socket for GitHub and Socket CLI

Socket’s free GitHub app was created to detect malicious packages and is your first line of defense against typosquatting, among other supply chain risks (install scripts, telemetry, known malware, and more). It offers real-time scanning of incoming dependencies with every pull request. When a potential typosquatted package is detected, the app instantly alerts the developer who submitted the PR (or the one reviewing it) through a GitHub comment. 

Socket for GitHub detects and blocks attacks that get missed by traditional vulnerability scanners. It makes it virtually effortless to ensure typosquatted packages never see the light of day in your repositories. Install the app in under a minute and it will start protecting your repositories, analyzing PRs, and alerting you to issues.

Another way to safeguard your supply chain is by using the Socket CLI tool, which can also alert you to potential typosquatting, among other security issues. It features a “safe npm” tool that proactively protects developers’ machines from bad packages when they use npm install.

Socket transparently wraps npm commands while running the real npm install process and analyzing the results in the background. This includes deeply nested dependencies. Before writing anything to disk, it will alert you if it detects a risky package and give you the opportunity to stop the install or proceed with the risk.

Developers can get started by running npm install -g @socketsecurity/cli.

You can then prefix npm installs with “socket” to have them analyzed before install:

socket npm install react

Both Socket for GitHub and Socket CLI are seamless workflow additions that are free to use and could save your app or organization from the disastrous consequences of supply chain attacks that leverage typosquatting. Install them today to keep risky dependencies from landing in your applications.