Challenge around node.js package typo squatting

[tghosth]

This might be a bit too obscure but I wonder if there could be a challenge related to reporting to juiceshop devs that they are using a fake version of a package, based on the issue documented here.

https://iamakulov.com/notes/npm-malicious-packages/

They could discover this from the package.json.bak.

Maybe if we created a harmless typosquatting package (i.e. it just says it is used for this challenge but doesnt do anything malicious) then it wouldn't get deleted from npm?

Also needs to be obvious enough, e.g. jsonweebtoken

[bkimminich]

That's a wonderful idea. Making a typosquatted version of one of the security libs, e.g. "helmetjs" or the one for file upload "multr" or. "mullter".

[bkimminich]

I created https://github.com/bkimminich/epilogue-js which is a bare copy of https://github.com/dchester/epilogue where I removed all build automation configs and bumped the version to 0.7.2 (whereas the original is 0.7.1) - there is no malicious content in epilogue-js whatsoever.

@dchester CC'ing you into this ticket to make you aware of the fact that there now is a package https://www.npmjs.com/package/epilogue-js on NPM which is essentially stolen 1:1 from your epilogue with just adding a disclaimer to make sure nobody actually uses it:

In case you are not happy with me abusing epilogue as a demo for typosquatting NPM modules, please let me know and I will find another module to typosquat.

[bkimminich]

Added new typosquatted Angular package ng2-bar-rating which mirrors ngx-bar-rating by @MurhafSousli. No malicious changes were made to the library and it features a disclaimer header:

[lock]

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.