Typo-Squatting: Another Reason for UPMs

npm published a blog yesterday stating that a user named ‘hacktask’ had published several dozen packages created with malicious intent.

Hacktask named his packages in ways that mirrored legitimate packages with slight variations inserted. The hope being users would download the malware by mistake while searching for the genuine package, often due to a typing mistake (hence typo-squatting).

The number of downloads for these malicious packages isn't huge, but with mirror repositories the numbers are likely much higher. npm users are being advised to check for, and eliminate any of these packages that might have been downloaded into their systems.

To see the full list you can read the npm blog post.

This abuse of a system is another reason that having an in-house package manager is necessary. An organization can avoid malicious packages like these from entering their codebase by designating approved packages and enforcing a rule that any new package needs manual inspection and approval.

Coupling manual inspection along with features like license filtering, vulnerability scanning, and user restrictions UPMs create a more secure system and make it easier to avoid hacking attempts like this.