WPI - Computer Science Department, MS Thesis Presentation, Shradha Neupane " Beyond Typosquatting: An In-depth Look at Package Confusability"


Computer Science

Shradha Neupane

MS Student

WPI – Computer Science


Thursday, April 20, 2023

Time: 11:30 a.m. – 12:30 p.m.

 Zoom (https://wpi.zoom.us/j/94385144997)


Advisor: Prof. Robert Walls

Reader: Prof. Lorenzo De Carli


Package confusion attacks—where an attacker successfully confuses a developer into

importing a malicious attack package rather than the intended benign one—are one of

the most severe issues in supply chain security. While the prevalence of the issue is

generally well-documented, little work has studied the range of mechanisms an adversary

could use to cause confusion in a package name. In our work, we present the first

comprehensive categorization of the mechanisms used to induce confusion, and we show

how this understanding can improve detection.


First, we use qualitative analysis to identify and rigorously define 13 attack categories

of confusion mechanisms based on a dataset of 1200+ documented incidents. Results show

that, while package confusion is thought to mostly exploit typing errors, in practice attack-

ers use a variety of mechanisms, many of which work at semantic, rather than syntactic,

level. Equipped with our categorization, we then define detectors for the discovered attack

categories, and we evaluate them on the entire npm package set.


Evaluation of a sample, performed through an online survey, identifies a subset of

highly effective detection rules which (i) return high-quality matches (on average, >70%

matches marked as potentially confusing), and (ii) generate low warning overhead (1

warning per 101M package pairs). Comparison with state-of-the-art reveals that the large

majority of such pairs are not flagged by existing tools. Thus, our work has the potential to

concretely improve the identification of confusable package names in the wild.