Alright, Go developers, listen up! Seriously crazy stuff is happening in the Go world right now. We're talking major typosquatting issues. Attackers are slithering in and spreading malware via fake packages, can you believe it?

So, for goodness sake, pay super close attention to the names of your modules! One little typo and bam! You've got yourself a nasty infection. As a pentester, I see this kind of thing all the time, sadly. Tiny mistakes, HUGE consequences. This malware then installs a backdoor. Totally not cool, right?

Therefore, check your imports, folks! And make sure you're getting your devs trained up on security. Automated scans? Nice to have, sure, but they're absolutely no substitute for a manual pentest! What are your go-to tools for fighting this kind of attack? Oh, and yeah, IT security *has* to be in the budget, that's just the way it is.

Jetzt trifft es auch Go: Bösartiges Typosquatting im Ökosystem entdeckt | heise online
https://heise.de/-10270016 #Programmiersprache #Golang #Typosquatting #TyposquattingPaket #Malware

A malicious Python package named '#fabrice' has been present in the Python Package Index (PyPI) since 2021,
stealing Amazon Web Services credentials from unsuspecting developers.
According to application security company Socket, 
the package has been downloaded more than 37,000 times and executes platform-specific scripts for Windows and Linux.
The large number of downloads is accounted by fabrice #typosquatting the legitimate SSH remote server management package “fabric,” a very popular library with more than 200 million downloads.
https://www.bleepingcomputer.com/news/security/malicious-pypi-package-with-37-000-downloads-steals-aws-keys/

TIL that running npx foo/bar instead of npx @foo/bar downloads and executes the github.com/foo/bar repo as a package

Also learned that in a CI context (i.e. when environment variable CI=1) npx doesn't wait for confirmation

On a completely unrelated note, here's a neat way to typosquat some NPM packages:

• Find a legit project that recommends running their tool with npx. For example @react-docgen/cli hosted under ReactJS's GitHub org.

• Check whether the NPM scope name is available as a GitHub user/org name. For example react-docgen was.

• Create a repo that matches the tool name but contains your own code. Like github.com/react-docgen/cli.

• Wait for someone to accidentally forget the @ and run npx your/package in a CI context.

• Repeat for multiple packages.

FWIW, reported this to GitHub - that also owns NPM - through HackerOne. The response: "This is an intentional design decision and is working as expected. We may make this functionality more strict in the future, but don't have anything to announce right now. As a result, this is not eligible for reward under the Bug Bounty program."

There is a GPT in ChatGPT which is typosquatting the name of Sora to do rickrolling... So there is no evaluation of new GPTs by OpenAI?

FIRST.org released the videos from Montreal FIRSTCON2023 including the presentation I did about @circl typosquatting-finder

Typosquatting finder Python library - https://github.com/typosquatter/ail-typo-squatting

Online version of the typosquatting-finder service: https://typosquatting-finder.circl.lu/

#opensource #typosquatting #infosec

cc @firstdotorg

Video: https://www.youtube.com/watch?v=s09VFkI4Fn0

We released a new version of the typosquatting Python library

Source code - https://github.com/typosquatter/ail-typo-squatting
Online version - https://typosquatting-finder.circl.lu/

The library has been improved to remove potential TLD/gTLDs which do a catch all for any domain. A random string is queried while testing to limit potential false-positive.

Another option has been added to combine algorithms together.