typosquatting 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e50bfd6b6ae458a3c588600cf0ae4e3fe7a551bf801d0133dca2c88d5df423d6
-  data.tar.gz: d9f0abe8dd964b970e0f760f807b4b76a2f71d3ad9a05b32dcf5b19ce1438f76
+  metadata.gz: 57ce19f59014bac56c5922b53d59c794ef8b55c3ff13cde363db2bef133aff23
+  data.tar.gz: facd26dd6b71803eadfb0c2395f7a0a1249d25992c38d5cf07a15a255de91d69
 SHA512:
-  metadata.gz: 9cf712d35089a972dd4b9cd47139cb0b793a901f2665de3027629c0f6f39faa1216ef2df4092ee04bc21c89b5c9e2f44e4b26dcbf95598c9b64a151793b3f6be
-  data.tar.gz: 4bb644fb9af9173051c6de93b5d0b5e88f3dac01ff6873dba102dfb2a72d64e0acda77daf7116597a1a93945e050a04f9603c18a039f6faca0761be51e310142
+  metadata.gz: f1de5348e69ee48a5eadcd7fccc310b5f7224f888e84a69bac5ba5fd6bd7d01a64638650834e39ad9f7c55083ec6dd9b3613ed83aefe6019724325a5fcf3b07d
+  data.tar.gz: 40fe04d1f03d7917bac5663a5a22f90b0bfef24307f9656d9401cb77dbff710f332de4c15c7165a564f81ca6a701ea783fd26ceea335b09309260d1526dc87ef

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 ## [Unreleased]
 
+## [0.2.0] - 2025-12-17
+
+- Add GitHub Actions ecosystem for CI/CD workflow typosquatting detection
+- Add namespace-aware variant generation for ecosystems with owner/vendor (Go, Composer, npm scoped packages)
+- Add bitflip algorithm for bitsquatting attacks
+- Add adjacent_insertion algorithm for inserting adjacent keyboard characters
+- Add double_hit algorithm for replacing consecutive identical characters with adjacent keys
+- Add length-aware algorithm filtering to reduce false positives for short package names (under 5 chars)
+- Add combosquatting algorithm for common package suffixes (-js, -py, -cli, -lite, etc.)
+
 ## [0.1.0] - 2025-12-16
 
 - Initial release

data/README.md

@@ -2,7 +2,7 @@
 
 Detect potential typosquatting packages across package ecosystems. Generate typosquat variants of package names and check if they exist on package registries.
 
-Supports PyPI, npm, RubyGems, Cargo, Go, Maven, NuGet, Composer, Hex, and Pub.
+Supports PyPI, npm, RubyGems, Cargo, Go, Maven, NuGet, Composer, Hex, Pub, and GitHub Actions.
 
 ## When to use this
 
@@ -17,6 +17,8 @@ This tool helps you:
 
 False positives are common. A package named `request` isn't necessarily a typosquat of `requests`. Use the output as a starting point for investigation, not as a definitive verdict.
 
+Short package names (under 5 characters) produce more false positives because many legitimate short packages exist. By default, the generator uses only high-confidence algorithms (homoglyph, repetition, replacement, transposition) for short names. Use `--no-length-filter` to disable this and run all algorithms regardless of name length.
+
 ## Installation
 
 ```bash
@@ -53,6 +55,9 @@ typosquatting check requests -e pypi --dry-run
 # Check for dependency confusion risks
 typosquatting confusion com.company:internal-lib -e maven
 
+# Check GitHub Actions for typosquats
+typosquatting check actions/checkout -e github_actions
+
 # Check multiple packages from a file
 typosquatting confusion -e maven --file internal-packages.txt
 
@@ -158,6 +163,7 @@ Use these identifiers with the `-e` / `--ecosystem` flag:
 | `composer` | Packagist | No | `-` `_` `.` | `vendor/package` format |
 | `hex` | hex.pm | No | `_` | Underscore only, no hyphens |
 | `pub` | pub.dev | No | `_` | Underscore only, 2-64 chars |
+| `github_actions` | GitHub | No | `-` `_` `.` | `owner/repo` format, targets CI/CD workflows |
 
 ## Algorithms
 
@@ -177,6 +183,10 @@ Use these names with the `-a` / `--algorithms` flag (comma-separated):
 | `plural` | Singularize/pluralize | `request` -> `requests` |
 | `misspelling` | Common typos | `library` -> `libary` |
 | `numeral` | Number/word swap | `lib2` -> `libtwo` |
+| `bitflip` | Single-bit errors (bitsquatting) | `google` -> `coogle` |
+| `adjacent_insertion` | Insert adjacent keyboard key | `google` -> `googhle` |
+| `double_hit` | Replace double chars with adjacent | `google` -> `giigle` |
+| `combosquatting` | Add common package suffixes | `lodash` -> `lodash-js` |
 
 ## SBOM Support
 
@@ -194,6 +204,10 @@ Package lookups use the [ecosyste.ms](https://packages.ecosyste.ms) API. Request
 
 Be mindful when checking many packages. The `--dry-run` flag shows what would be checked without making API calls.
 
+## Dataset
+
+The [ecosyste-ms/typosquatting-dataset](https://github.com/ecosyste-ms/typosquatting-dataset) contains 143 confirmed typosquatting attacks from security research, mapping malicious packages to their targets with classification and source attribution. Useful for testing detection tools and understanding real attack patterns.
+
 ## Development
 
 ```bash

data/lib/typosquatting/algorithms/adjacent_insertion.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Typosquatting
+  module Algorithms
+    class AdjacentInsertion < Base
+      KEYBOARD_ADJACENT = Replacement::KEYBOARD_ADJACENT
+
+      def generate(package_name)
+        variants = []
+
+        package_name.each_char.with_index do |char, i|
+          adjacent = KEYBOARD_ADJACENT[char.downcase] || []
+          adjacent.each do |adj_char|
+            variants << package_name[0..i] + adj_char + package_name[(i + 1)..]
+            variants << package_name[0...i] + adj_char + package_name[i..]
+          end
+        end
+
+        variants.uniq
+      end
+    end
+  end
+end

data/lib/typosquatting/algorithms/base.rb

@@ -26,7 +26,11 @@ module Typosquatting
           WordOrder.new,
           Plural.new,
           Misspelling.new,
-          Numeral.new
+          Numeral.new,
+          Bitflip.new,
+          AdjacentInsertion.new,
+          DoubleHit.new,
+          Combosquatting.new
         ]
       end
     end

data/lib/typosquatting/algorithms/bitflip.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Typosquatting
+  module Algorithms
+    class Bitflip < Base
+      VALID_CHARS = (("a".."z").to_a + ("0".."9").to_a + %w[- _]).freeze
+
+      def generate(package_name)
+        variants = []
+
+        package_name.each_char.with_index do |char, i|
+          flipped = bitflip_char(char)
+          flipped.each do |new_char|
+            next unless VALID_CHARS.include?(new_char)
+
+            variant = package_name[0...i] + new_char + package_name[(i + 1)..]
+            variants << variant
+          end
+        end
+
+        variants.uniq
+      end
+
+      def bitflip_char(char)
+        byte = char.ord
+        results = []
+
+        8.times do |bit|
+          flipped_byte = byte ^ (1 << bit)
+          next if flipped_byte > 127 || flipped_byte < 32
+
+          results << flipped_byte.chr
+        end
+
+        results.reject { |c| c == char }
+      end
+    end
+  end
+end

data/lib/typosquatting/algorithms/combosquatting.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Typosquatting
+  module Algorithms
+    class Combosquatting < Base
+      SUFFIXES = %w[
+        js .js -js
+        py -py -python python
+        -node node- -npm npm-
+        -cli -api -core -utils -util -lib -pkg
+        -lite -dev -test -beta -alpha
+        -compat -legacy -next -new -v2
+        -simd -fast -async
+        s -s
+      ].freeze
+
+      PREFIXES = %w[
+        py- python-
+        node- npm-
+        go-
+        js-
+        my- the- a-
+      ].freeze
+
+      def generate(package_name)
+        variants = []
+
+        SUFFIXES.each do |suffix|
+          variants << "#{package_name}#{suffix}"
+        end
+
+        PREFIXES.each do |prefix|
+          variants << "#{prefix}#{package_name}"
+        end
+
+        variants.uniq
+      end
+    end
+  end
+end

data/lib/typosquatting/algorithms/double_hit.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Typosquatting
+  module Algorithms
+    class DoubleHit < Base
+      KEYBOARD_ADJACENT = Replacement::KEYBOARD_ADJACENT
+
+      def generate(package_name)
+        variants = []
+
+        (package_name.length - 1).times do |i|
+          next unless package_name[i] == package_name[i + 1]
+
+          char = package_name[i].downcase
+          adjacent = KEYBOARD_ADJACENT[char] || []
+
+          adjacent.each do |adj_char|
+            variant = package_name[0...i] + adj_char + adj_char + package_name[(i + 2)..]
+            variants << variant
+          end
+        end
+
+        variants.uniq
+      end
+    end
+  end
+end

data/lib/typosquatting/cli.rb

@@ -36,13 +36,14 @@ module Typosquatting
     end
 
     def generate(args)
-      options = { format: "text", verbose: false }
+      options = { format: "text", verbose: false, length_filtering: true }
       parser = OptionParser.new do |opts|
         opts.banner = "Usage: typosquatting generate PACKAGE -e ECOSYSTEM [options]"
         opts.on("-e", "--ecosystem ECOSYSTEM", "Package ecosystem (required)") { |v| options[:ecosystem] = v }
         opts.on("-f", "--format FORMAT", "Output format (text, json, csv)") { |v| options[:format] = v }
         opts.on("-v", "--verbose", "Show algorithm for each variant") { options[:verbose] = true }
         opts.on("-a", "--algorithms LIST", "Comma-separated list of algorithms to use") { |v| options[:algorithms] = v }
+        opts.on("--no-length-filter", "Disable length-based algorithm filtering for short names") { options[:length_filtering] = false }
       end
       parser.parse!(args)
 
@@ -55,14 +56,14 @@ module Typosquatting
 
       ecosystem = Ecosystems::Base.get(options[:ecosystem])
       algorithms = select_algorithms(options[:algorithms])
-      generator = Generator.new(ecosystem: ecosystem, algorithms: algorithms)
+      generator = Generator.new(ecosystem: ecosystem, algorithms: algorithms, length_filtering: options[:length_filtering])
       variants = generator.generate(package)
 
       output_variants(variants, options)
     end
 
     def check(args)
-      options = { format: "text", verbose: false, existing_only: false, dry_run: false }
+      options = { format: "text", verbose: false, existing_only: false, dry_run: false, length_filtering: true }
       parser = OptionParser.new do |opts|
         opts.banner = "Usage: typosquatting check PACKAGE -e ECOSYSTEM [options]"
         opts.on("-e", "--ecosystem ECOSYSTEM", "Package ecosystem (required)") { |v| options[:ecosystem] = v }
@@ -71,6 +72,7 @@ module Typosquatting
         opts.on("-a", "--algorithms LIST", "Comma-separated list of algorithms to use") { |v| options[:algorithms] = v }
         opts.on("--existing-only", "Only show packages that exist") { options[:existing_only] = true }
         opts.on("--dry-run", "Show variants without making API calls") { options[:dry_run] = true }
+        opts.on("--no-length-filter", "Disable length-based algorithm filtering for short names") { options[:length_filtering] = false }
       end
       parser.parse!(args)
 
@@ -83,7 +85,7 @@ module Typosquatting
 
       ecosystem = Ecosystems::Base.get(options[:ecosystem])
       algorithms = select_algorithms(options[:algorithms])
-      generator = Generator.new(ecosystem: ecosystem, algorithms: algorithms)
+      generator = Generator.new(ecosystem: ecosystem, algorithms: algorithms, length_filtering: options[:length_filtering])
       variants = generator.generate(package)
 
       if options[:dry_run]
@@ -177,16 +179,17 @@ module Typosquatting
     def ecosystems
       puts "Supported ecosystems:"
       puts ""
-      puts "  pypi      - Python Package Index"
-      puts "  npm       - Node Package Manager"
-      puts "  gem       - RubyGems"
-      puts "  cargo     - Rust packages"
-      puts "  golang    - Go modules"
-      puts "  maven     - Java/JVM packages"
-      puts "  nuget     - .NET packages"
-      puts "  composer  - PHP packages"
-      puts "  hex       - Erlang/Elixir packages"
-      puts "  pub       - Dart packages"
+      puts "  pypi           - Python Package Index"
+      puts "  npm            - Node Package Manager"
+      puts "  gem            - RubyGems"
+      puts "  cargo          - Rust packages"
+      puts "  golang         - Go modules"
+      puts "  maven          - Java/JVM packages"
+      puts "  nuget          - .NET packages"
+      puts "  composer       - PHP packages"
+      puts "  hex            - Erlang/Elixir packages"
+      puts "  pub            - Dart packages"
+      puts "  github_actions - GitHub Actions"
     end
 
     def algorithms

data/lib/typosquatting/ecosystems/github_actions.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+module Typosquatting
+  module Ecosystems
+    class GithubActions < Base
+      def initialize
+        super
+        @name = "github_actions"
+        @purl_type = "github"
+      end
+
+      def name_pattern
+        /\A[a-zA-Z0-9][a-zA-Z0-9-]*\/[a-zA-Z0-9._-]+\z/
+      end
+
+      def allowed_characters
+        /[a-zA-Z0-9._-]/
+      end
+
+      def allowed_delimiters
+        %w[- _ .]
+      end
+
+      def case_sensitive?
+        false
+      end
+
+      def supports_namespaces?
+        true
+      end
+
+      def normalise(name)
+        name.downcase.sub(/@.*$/, "")
+      end
+
+      def parse_namespace(name)
+        clean_name = name.sub(/@.*$/, "")
+        parts = clean_name.split("/", 2)
+        if parts.length == 2
+          [parts[0], parts[1]]
+        else
+          [nil, name]
+        end
+      end
+
+      def valid_name?(name)
+        return false if name.nil? || name.empty?
+
+        clean_name = name.sub(/@.*$/, "")
+        owner, repo = parse_namespace(clean_name)
+
+        return false if owner.nil? || repo.nil?
+        return false if owner.empty? || repo.empty?
+
+        return false unless valid_owner?(owner)
+        return false unless valid_repo?(repo)
+
+        true
+      end
+
+      def format_name(owner, repo)
+        "#{owner}/#{repo}"
+      end
+
+      def valid_owner?(owner)
+        return false if owner.length > 39
+        return false if owner.start_with?("-")
+        return false if owner.end_with?("-")
+        return false if owner.include?("--")
+
+        !!(owner =~ /\A[a-zA-Z0-9][a-zA-Z0-9-]*\z/)
+      end
+
+      def valid_repo?(repo)
+        return false if repo.length > 100
+        return false if repo.start_with?(".")
+
+        !!(repo =~ /\A[a-zA-Z0-9._-]+\z/)
+      end
+    end
+
+    Base.register(GithubActions.new)
+  end
+end

data/lib/typosquatting/ecosystems/golang.rb

@@ -49,6 +49,10 @@ module Typosquatting
 
         !!(name =~ name_pattern)
       end
+
+      def format_name(namespace, name)
+        "#{namespace}/#{name}"
+      end
     end
 
     Base.register(Golang.new)

data/lib/typosquatting/ecosystems/npm.rb

@@ -59,6 +59,14 @@ module Typosquatting
 
         true
       end
+
+      def format_name(namespace, name)
+        if namespace
+          "#{namespace}/#{name}"
+        else
+          name
+        end
+      end
     end
 
     Base.register(Npm.new)

data/lib/typosquatting/generator.rb

@@ -2,17 +2,47 @@
 
 module Typosquatting
   class Generator
-    attr_reader :ecosystem, :algorithms
+    SHORT_NAME_THRESHOLD = 5
 
-    def initialize(ecosystem:, algorithms: nil)
+    HIGH_CONFIDENCE_ALGORITHMS = %w[
+      homoglyph
+      repetition
+      replacement
+      transposition
+    ].freeze
+
+    attr_reader :ecosystem, :algorithms, :length_filtering
+
+    def initialize(ecosystem:, algorithms: nil, length_filtering: true)
       @ecosystem = ecosystem.is_a?(String) ? Ecosystems::Base.get(ecosystem) : ecosystem
       @algorithms = algorithms || Algorithms::Base.all
+      @length_filtering = length_filtering
     end
 
     def generate(package_name)
       results = []
 
-      algorithms.each do |algorithm|
+      if ecosystem.supports_namespaces?
+        results.concat(generate_namespace_aware(package_name))
+      else
+        results.concat(generate_simple(package_name))
+      end
+
+      dedupe_by_normalised_name(results)
+    end
+
+    def algorithms_for_length(name_length)
+      return algorithms unless length_filtering
+      return algorithms if name_length >= SHORT_NAME_THRESHOLD
+
+      algorithms.select { |a| HIGH_CONFIDENCE_ALGORITHMS.include?(a.name) }
+    end
+
+    def generate_simple(package_name)
+      results = []
+      active_algorithms = algorithms_for_length(package_name.length)
+
+      active_algorithms.each do |algorithm|
         variants = algorithm.generate(package_name)
         variants.each do |variant|
           next if variant == package_name
@@ -27,7 +57,59 @@ module Typosquatting
         end
       end
 
-      dedupe_by_normalised_name(results)
+      results
+    end
+
+    def generate_namespace_aware(package_name)
+      namespace, name = ecosystem.parse_namespace(package_name)
+      results = []
+
+      return generate_simple(package_name) if namespace.nil?
+
+      namespace_algorithms = algorithms_for_length(namespace.length)
+      name_algorithms = algorithms_for_length(name.length)
+
+      namespace_algorithms.each do |algorithm|
+        namespace_variants = algorithm.generate(namespace)
+        namespace_variants.each do |ns_variant|
+          full_name = rebuild_namespaced_name(ns_variant, name)
+          next if full_name == package_name
+          next unless ecosystem.valid_name?(full_name)
+          next if same_after_normalisation?(package_name, full_name)
+
+          results << Variant.new(
+            name: full_name,
+            algorithm: algorithm.name,
+            original: package_name
+          )
+        end
+      end
+
+      name_algorithms.each do |algorithm|
+        name_variants = algorithm.generate(name)
+        name_variants.each do |name_variant|
+          full_name = rebuild_namespaced_name(namespace, name_variant)
+          next if full_name == package_name
+          next unless ecosystem.valid_name?(full_name)
+          next if same_after_normalisation?(package_name, full_name)
+
+          results << Variant.new(
+            name: full_name,
+            algorithm: algorithm.name,
+            original: package_name
+          )
+        end
+      end
+
+      results
+    end
+
+    def rebuild_namespaced_name(namespace, name)
+      if ecosystem.respond_to?(:format_name)
+        ecosystem.format_name(namespace, name)
+      else
+        "#{namespace}/#{name}"
+      end
     end
 
     Variant = Struct.new(:name, :algorithm, :original, keyword_init: true) do

data/lib/typosquatting/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Typosquatting
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/typosquatting.rb

@@ -15,6 +15,10 @@ require_relative "typosquatting/algorithms/word_order"
 require_relative "typosquatting/algorithms/plural"
 require_relative "typosquatting/algorithms/misspelling"
 require_relative "typosquatting/algorithms/numeral"
+require_relative "typosquatting/algorithms/bitflip"
+require_relative "typosquatting/algorithms/adjacent_insertion"
+require_relative "typosquatting/algorithms/double_hit"
+require_relative "typosquatting/algorithms/combosquatting"
 
 require_relative "typosquatting/ecosystems/base"
 require_relative "typosquatting/ecosystems/pypi"
@@ -27,6 +31,7 @@ require_relative "typosquatting/ecosystems/nuget"
 require_relative "typosquatting/ecosystems/composer"
 require_relative "typosquatting/ecosystems/hex"
 require_relative "typosquatting/ecosystems/pub"
+require_relative "typosquatting/ecosystems/github_actions"
 
 require_relative "typosquatting/generator"
 require_relative "typosquatting/lookup"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: typosquatting
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -55,8 +55,12 @@ files:
 - exe/typosquatting
 - lib/typosquatting.rb
 - lib/typosquatting/algorithms/addition.rb
+- lib/typosquatting/algorithms/adjacent_insertion.rb
 - lib/typosquatting/algorithms/base.rb
+- lib/typosquatting/algorithms/bitflip.rb
+- lib/typosquatting/algorithms/combosquatting.rb
 - lib/typosquatting/algorithms/delimiter.rb
+- lib/typosquatting/algorithms/double_hit.rb
 - lib/typosquatting/algorithms/homoglyph.rb
 - lib/typosquatting/algorithms/misspelling.rb
 - lib/typosquatting/algorithms/numeral.rb
@@ -72,6 +76,7 @@ files:
 - lib/typosquatting/ecosystems/base.rb
 - lib/typosquatting/ecosystems/cargo.rb
 - lib/typosquatting/ecosystems/composer.rb
+- lib/typosquatting/ecosystems/github_actions.rb
 - lib/typosquatting/ecosystems/golang.rb
 - lib/typosquatting/ecosystems/hex.rb
 - lib/typosquatting/ecosystems/maven.rb