"Npm Packages Vulnerable to Old-School Weapon: the 'Shift' Key"

Since 2017, hackers have been able to imitate legitimate Node Package Manager (npm) packages by removing the capital letters from their titles. According to Checkmarx, npm did not address this type of typosquatting for years, which could have resulted in enterprises downloading malware inadvertently. The registry recently patched the vulnerability, but organizations should be aware of any malicious packages they may have downloaded prior to the update. Cybercriminals engage in typosquatting when they intentionally but subtly misspell names in copying legitimate Web domains. For example, a hacker might use an uppercase "I" instead of a lowercase "l" in the word "Google," or substitute zeros for the two "o"s. To combat typosquatting in its registry, npm announced a change to its naming system on December 26, 2017. After then, package names could only contain lowercase letters. However, all the thousands of existing packages with capital letters in their titles remained, and no mechanism was implemented to prevent new packages from duplicating them in all but capitalization. This article continues to discuss the typosquatting techniques hackers have used to trick enterprises into downloading malware.

Dark Reading reports "Npm Packages Vulnerable to Old-School Weapon: the 'Shift' Key"