/typosquat-hunter

Typosquat Hunter is a Python app that helps you find typosquatting in packages during CI

Primary LanguagePythonMIT LicenseMIT

Typosquat Hunter POC

Typosquat Hunter is a Python app that helps you find typosquatting in packages during CI. Typosquatting is a malicious practice of registering names that are similar to existing ones, such as requets instead of requests, in order to trick users into installing them. Typosquat Hunter compares the packages in your dependencies and flags if it thinks any may be suspicious.

image

Roadmap

  • Proof of concept- This is a proof this can work and if anyone wants it. I have built the app really scrappy but just enough so it works. It only works with PyPi and is taking in very few data points to decide if a package is a typosquatter or not. I think in its current state it would be frustrating the amount of false positives that could arise especially if using a more niche package.

  • Minimum Viable Product - If people found TypoSquat Hunter useful I would rebuild the app from scratch perhaps in a more performant language. I would try to build it in a modular way so we can add new libraries and packaging systems as we go. I would also like to take in more data points from the packages such as date of upload to more accurately predict malicious packages.

... To be continued

Run Locally

Clone the project

  git clone https://github.com/RemakingEden/typosquat-hunter

Go to the project directory

  cd typosquat-hunter

Install dependencies

  pip install -r requirements.txt

Change the path of the app variable to point at the app you want to scan. This is hardcoded to /app currently.

  app_dir = /your/app/location

Run the script

./typosquatHunter.py

If you would like to ignore a package as false positive you can add this package to a whitelist called typosquathunterwhitelist.txt in the app folder

Run in CI/Docker

Run the container with the app you want to analyse as a volume

docker run -v /absolute/path/to/your/local/app:/app ghcr.io/remakingeden/typosquat-hunter:latest

This should run in a similar way in most CI services. Simply checkout the repo you want to analyse and then connect it as a volume as above.

Reason For Creation

I have been hearing more and more about attacks from typosquatting packages and it surprised me when I tried looking for a solution that could spot these in CI. I thought there could be enough data provided to spot some if not most typosquatting packages. If you'd like to know more about the ways typosquatting can be used to attack projects check out the below articles.

Feedback

This is a basic POC to hopefully get some feedback and ideas. If you have any please feel free to create a PR and we can talk them through.