-
-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Challenge around node.js package typo squatting #368
Comments
That's a wonderful idea. Making a typosquatted version of one of the security libs, e.g. "helmetjs" or the one for file upload "multr" or. "mullter". |
(for upcoming typo squatting challenge #368)
I created https://github.com/bkimminich/epilogue-js which is a bare copy of https://github.com/dchester/epilogue where I removed all build automation configs and bumped the version to 0.7.2 (whereas the original is 0.7.1) - there is no malicious content in @dchester CC'ing you into this ticket to make you aware of the fact that there now is a package https://www.npmjs.com/package/epilogue-js on NPM which is essentially stolen 1:1 from your |
(otherwise #368 would be almost unsolvable!)
Added new typosquatted Angular package ng2-bar-rating which mirrors ngx-bar-rating by @MurhafSousli. No malicious changes were made to the library and it features a disclaimer header: |
This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs. |
This might be a bit too obscure but I wonder if there could be a challenge related to reporting to juiceshop devs that they are using a fake version of a package, based on the issue documented here.
https://iamakulov.com/notes/npm-malicious-packages/
They could discover this from the package.json.bak.
Maybe if we created a harmless typosquatting package (i.e. it just says it is used for this challenge but doesnt do anything malicious) then it wouldn't get deleted from npm?
Also needs to be obvious enough, e.g. jsonweebtoken
The text was updated successfully, but these errors were encountered: