Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- Typo squatting is the art of sitting down on a bunch of different names that come from 'typos' of something legitimate , hoping that someone will make the mistake.
- In this case, it was in the context of Python Packages. With Python, we use the central repository (pypi) in order to download the packages.
- The author made a typo squatting package for the 10,000 most downloaded Python projects by removing underscores (_) and dashes (-) from the names of libraries.
- After two years of squatting, 530,950 installs were done for improper packages! That's an astounding amount of downloaded just from a single type of typo.
- Why is this a bad deal? This type of attack is known as the supply chain attack. By poisoning the packages that a user downloads, it creates a compromised environment from the beginning.
- In terms of an actual attack, persistence on the system (via install scripts) or the stealing of sensitive data, such as SSH keys, can occur.
- Overall, this is a really effective long term attack for an attacker. Honestly, I remember seeing this banner come up on multiple occasions.
