A tool to detect potential typosquatting packages based on static and dynamic analysis.
Currently supports NPM, PyPI and RubyGems packages.
The tool consists of 3 modules:
- Module 1 - Candidate Name Generator
- Module 2 - Static Evaluator
- Module 3 - Dynamic Analyzer
This module is responsible for generating potential typosquatting candidates for a package.
Compile by running
go build -o typogenerator cmd/typogen/main.go
Usage of ./typogenerator:
-j=false: Display JSON output
-r="pypi": Defines the package registry to search in (rubygems, pypi, npm)
-s="zenithar": Defines package to alternate
-v=false: Perform validation for generated candidates
Example
./typogenerator -s through2 -r npm -j -v
This module is responsible for evaluating and scoring a package based on reputational factors such as author age, author GitHub activity, package popularity etc.
This module is responsible for evaluating a package dynamically based on the files accessed, sockets created and DNS queries made. It creates baselines from the original valid package and looks for deviations by comparing the output of the typosquatting candidate package with the original package.
Note: Run as
sudo.
usage: module-3.py [-h] [-p [P]] [-t [T]] [-r [R]]
options:
-h, --help show this help message and exit
-p [P] original package name
-t [T] typosquatting package name
-r [R] registry name
Example
sudo python3 module-3.py -p python-dateutil -t python-dateuti -r pypi
-
Module 1 was adapted from typogenerator.
-
Module 3 was adapted from package-analysis.