[trishankkarthik]

I work in this area. This is not a supply chain attack. This is a typosquatting "attack" people keep rediscovering every year or two.

I know, because I wrote an as yet unpublished paper on safely pulling packages from private and public repos.

[acdha]

I think you’re getting downvoted because your point is obscured by the confrontational tone. Argument by authority is especially unconvincing when you aren’t using common terms correctly. In normal usage, “typosquatting” refers to someone registering common misspellings in a shared namespace. As clearly described in the post this is not that but rather exploiting non-obvious differences in the order in which different namespaces are checked.

Using terms correctly is especially important in security: someone who read your comment might incorrectly believe that this did not affect them because they are using the correct names for all of their dependencies.

[ex_amazon_sde]

This is not correct.

Installing packages only from a trusted (and signed) source protects against typosquatting, misread or confusing package names and many other risks.

[itake]

forgive my naivety, but my understanding of the NPM and rubygems ecosystem is open source packages host their source code on github/gitlab. The source code is super easy to view. Often times, the author will use tags or branches dedicated to specific versions of the code.

For distribution, js and ruby use rubygems and npm to host packages. If a developer wants to verify that the package hosted on npm is the same code being displayed and worked on by contributors on github, they need to pull down both sets of code and then either run a checksum or compare line by line to verify the code matches up. Malware or a nefarious package owner could slip in unexpected code into the package before shipping it to the package host, leaving the github version without the changes. No typo-squatting needed.

Just because some form of the source code is published to Github, doesn't mean its the same code that is hosted on npm or ruby gems.

[ex_amazon_sde]

I'm not sure what point you are making.

Yet, reviewing hundreds of thousands SLOCs (across different languages) and also checking legal compliance requires significant skills, time and efforts.

As an individual, you cannot justify reviewing the entire dependency tree across all your projects.

Thankfully you can rely on the packages reviewed and built internally by your colleagues - or use a Linux distribution that does thorough vetting.

[itake]

Amazon probably builds everything in house. Smaller shops rely more on open source tools like npm or Ruby gems.

I think there are supply chain attack vectors in those resources

[pgo]

There are no typos here, the root issue is package manager preferring public packages of the same name over private ones

[psanford]

There's no typos in this attack.

[itake]

Can you share a link to the paper? My email is in my HN bio.