WPI - Computer Science Department, MS Thesis Presentation, Shradha Neupane " Beyond Typosquatting: An In-depth Look at Package Confusability"
WPI – Computer Science
Thursday, April 20, 2023
Time: 11:30 a.m. – 12:30 p.m.
Advisor: Prof. Robert Walls
Reader: Prof. Lorenzo De Carli
Package confusion attacks—where an attacker successfully confuses a developer into
importing a malicious attack package rather than the intended benign one—are one of
the most severe issues in supply chain security. While the prevalence of the issue is
generally well-documented, little work has studied the range of mechanisms an adversary
could use to cause confusion in a package name. In our work, we present the first
comprehensive categorization of the mechanisms used to induce confusion, and we show
how this understanding can improve detection.
First, we use qualitative analysis to identify and rigorously define 13 attack categories
of confusion mechanisms based on a dataset of 1200+ documented incidents. Results show
that, while package confusion is thought to mostly exploit typing errors, in practice attack-
ers use a variety of mechanisms, many of which work at semantic, rather than syntactic,
level. Equipped with our categorization, we then define detectors for the discovered attack
categories, and we evaluate them on the entire npm package set.
Evaluation of a sample, performed through an online survey, identifies a subset of
highly effective detection rules which (i) return high-quality matches (on average, >70%
matches marked as potentially confusing), and (ii) generate low warning overhead (1
warning per 101M package pairs). Comparison with state-of-the-art reveals that the large
majority of such pairs are not flagged by existing tools. Thus, our work has the potential to
concretely improve the identification of confusable package names in the wild.