typosquatting 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e50bfd6b6ae458a3c588600cf0ae4e3fe7a551bf801d0133dca2c88d5df423d6
-  data.tar.gz: d9f0abe8dd964b970e0f760f807b4b76a2f71d3ad9a05b32dcf5b19ce1438f76
+  metadata.gz: 59d9c744171a8ac32d88c7218078d24ce9a27da2822b03c5127569a9cf91be46
+  data.tar.gz: eb928d00e9d2f3eb5c195628c9a7bc8eaf33e02bc04ce07eab98449b48e3f12c
 SHA512:
-  metadata.gz: 9cf712d35089a972dd4b9cd47139cb0b793a901f2665de3027629c0f6f39faa1216ef2df4092ee04bc21c89b5c9e2f44e4b26dcbf95598c9b64a151793b3f6be
-  data.tar.gz: 4bb644fb9af9173051c6de93b5d0b5e88f3dac01ff6873dba102dfb2a72d64e0acda77daf7116597a1a93945e050a04f9603c18a039f6faca0761be51e310142
+  metadata.gz: ef4a6f706d3bd5a53d603c1c7d124fd317241ecff5ec898dea1df810ae5e65173986ab3d329ddb7300c89c2608c797b99369425eeb7910cb40f7574de99dfd00
+  data.tar.gz: 93643869152bc1c8ee092a0289c5c49d8615f69adb849f1f5343d8f11748b425f48b6a1e6028223432cf1eecb725fae24181e9d218297657a9fa61e1309675ef

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 ## [Unreleased]
 
+## [0.3.0] - 2025-12-17
+
+- Add `discover` command to find existing similar packages by edit distance using prefix/postfix API
+
+## [0.2.0] - 2025-12-17
+
+- Add GitHub Actions ecosystem for CI/CD workflow typosquatting detection
+- Add namespace-aware variant generation for ecosystems with owner/vendor (Go, Composer, npm scoped packages)
+- Add bitflip algorithm for bitsquatting attacks
+- Add adjacent_insertion algorithm for inserting adjacent keyboard characters
+- Add double_hit algorithm for replacing consecutive identical characters with adjacent keys
+- Add length-aware algorithm filtering to reduce false positives for short package names (under 5 chars)
+- Add combosquatting algorithm for common package suffixes (-js, -py, -cli, -lite, etc.)
+
 ## [0.1.0] - 2025-12-16
 
 - Initial release

data/README.md

@@ -2,7 +2,7 @@
 
 Detect potential typosquatting packages across package ecosystems. Generate typosquat variants of package names and check if they exist on package registries.
 
-Supports PyPI, npm, RubyGems, Cargo, Go, Maven, NuGet, Composer, Hex, and Pub.
+Supports PyPI, npm, RubyGems, Cargo, Go, Maven, NuGet, Composer, Hex, Pub, and GitHub Actions.
 
 ## When to use this
 
@@ -17,6 +17,8 @@ This tool helps you:
 
 False positives are common. A package named `request` isn't necessarily a typosquat of `requests`. Use the output as a starting point for investigation, not as a definitive verdict.
 
+Short package names (under 5 characters) produce more false positives because many legitimate short packages exist. By default, the generator uses only high-confidence algorithms (homoglyph, repetition, replacement, transposition) for short names. Use `--no-length-filter` to disable this and run all algorithms regardless of name length.
+
 ## Installation
 
 ```bash
@@ -53,6 +55,9 @@ typosquatting check requests -e pypi --dry-run
 # Check for dependency confusion risks
 typosquatting confusion com.company:internal-lib -e maven
 
+# Check GitHub Actions for typosquats
+typosquatting check actions/checkout -e github_actions
+
 # Check multiple packages from a file
 typosquatting confusion -e maven --file internal-packages.txt
 
@@ -64,6 +69,12 @@ typosquatting check requests -e pypi -f json
 
 # List available algorithms
 typosquatting algorithms
+
+# Discover existing packages similar to a target (by edit distance)
+typosquatting discover requests -e pypi
+
+# Discover with generated variants check
+typosquatting discover requests -e pypi --with-variants
 ```
 
 ## Example Output
@@ -158,6 +169,7 @@ Use these identifiers with the `-e` / `--ecosystem` flag:
 | `composer` | Packagist | No | `-` `_` `.` | `vendor/package` format |
 | `hex` | hex.pm | No | `_` | Underscore only, no hyphens |
 | `pub` | pub.dev | No | `_` | Underscore only, 2-64 chars |
+| `github_actions` | GitHub | No | `-` `_` `.` | `owner/repo` format, targets CI/CD workflows |
 
 ## Algorithms
 
@@ -177,6 +189,10 @@ Use these names with the `-a` / `--algorithms` flag (comma-separated):
 | `plural` | Singularize/pluralize | `request` -> `requests` |
 | `misspelling` | Common typos | `library` -> `libary` |
 | `numeral` | Number/word swap | `lib2` -> `libtwo` |
+| `bitflip` | Single-bit errors (bitsquatting) | `google` -> `coogle` |
+| `adjacent_insertion` | Insert adjacent keyboard key | `google` -> `googhle` |
+| `double_hit` | Replace double chars with adjacent | `google` -> `giigle` |
+| `combosquatting` | Add common package suffixes | `lodash` -> `lodash-js` |
 
 ## SBOM Support
 
@@ -194,6 +210,38 @@ Package lookups use the [ecosyste.ms](https://packages.ecosyste.ms) API. Request
 
 Be mindful when checking many packages. The `--dry-run` flag shows what would be checked without making API calls.
 
+### packages.ecosyste.ms API
+
+The package_names endpoint can help identify potential typosquats by searching for packages with similar prefixes or postfixes to popular package names.
+
+```
+GET /api/v1/registries/{registry}/package_names
+```
+
+**Parameters:**
+- `prefix` - filter by package names starting with string (case insensitive)
+- `postfix` - filter by package names ending with string (case insensitive)
+- `page`, `per_page` - pagination
+- `sort`, `order` - sorting
+
+**Examples:**
+```
+# Find RubyGems packages ending in "ails" (potential "rails" typosquats)
+https://packages.ecosyste.ms/api/v1/registries/rubygems.org/package_names?postfix=ails
+
+# Find RubyGems packages starting with "rai" (potential "rails" typosquats)
+https://packages.ecosyste.ms/api/v1/registries/rubygems.org/package_names?prefix=rai
+
+# Find npm packages starting with "reac" (potential "react" typosquats)
+https://packages.ecosyste.ms/api/v1/registries/npmjs.org/package_names?prefix=reac
+```
+
+Full API documentation: [packages.ecosyste.ms/docs](https://packages.ecosyste.ms/docs)
+
+## Dataset
+
+The [ecosyste-ms/typosquatting-dataset](https://github.com/ecosyste-ms/typosquatting-dataset) contains 143 confirmed typosquatting attacks from security research, mapping malicious packages to their targets with classification and source attribution. Useful for testing detection tools and understanding real attack patterns.
+
 ## Development
 
 ```bash

data/lib/typosquatting/algorithms/adjacent_insertion.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Typosquatting
+  module Algorithms
+    class AdjacentInsertion < Base
+      KEYBOARD_ADJACENT = Replacement::KEYBOARD_ADJACENT
+
+      def generate(package_name)
+        variants = []
+
+        package_name.each_char.with_index do |char, i|
+          adjacent = KEYBOARD_ADJACENT[char.downcase] || []
+          adjacent.each do |adj_char|
+            variants << package_name[0..i] + adj_char + package_name[(i + 1)..]
+            variants << package_name[0...i] + adj_char + package_name[i..]
+          end
+        end
+
+        variants.uniq
+      end
+    end
+  end
+end

data/lib/typosquatting/algorithms/base.rb

@@ -26,7 +26,11 @@ module Typosquatting
           WordOrder.new,
           Plural.new,
           Misspelling.new,
-          Numeral.new
+          Numeral.new,
+          Bitflip.new,
+          AdjacentInsertion.new,
+          DoubleHit.new,
+          Combosquatting.new
         ]
       end
     end

data/lib/typosquatting/algorithms/bitflip.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Typosquatting
+  module Algorithms
+    class Bitflip < Base
+      VALID_CHARS = (("a".."z").to_a + ("0".."9").to_a + %w[- _]).freeze
+
+      def generate(package_name)
+        variants = []
+
+        package_name.each_char.with_index do |char, i|
+          flipped = bitflip_char(char)
+          flipped.each do |new_char|
+            next unless VALID_CHARS.include?(new_char)
+
+            variant = package_name[0...i] + new_char + package_name[(i + 1)..]
+            variants << variant
+          end
+        end
+
+        variants.uniq
+      end
+
+      def bitflip_char(char)
+        byte = char.ord
+        results = []
+
+        8.times do |bit|
+          flipped_byte = byte ^ (1 << bit)
+          next if flipped_byte > 127 || flipped_byte < 32
+
+          results << flipped_byte.chr
+        end
+
+        results.reject { |c| c == char }
+      end
+    end
+  end
+end

data/lib/typosquatting/algorithms/combosquatting.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Typosquatting
+  module Algorithms
+    class Combosquatting < Base
+      SUFFIXES = %w[
+        js .js -js
+        py -py -python python
+        -node node- -npm npm-
+        -cli -api -core -utils -util -lib -pkg
+        -lite -dev -test -beta -alpha
+        -compat -legacy -next -new -v2
+        -simd -fast -async
+        s -s
+      ].freeze
+
+      PREFIXES = %w[
+        py- python-
+        node- npm-
+        go-
+        js-
+        my- the- a-
+      ].freeze
+
+      def generate(package_name)
+        variants = []
+
+        SUFFIXES.each do |suffix|
+          variants << "#{package_name}#{suffix}"
+        end
+
+        PREFIXES.each do |prefix|
+          variants << "#{prefix}#{package_name}"
+        end
+
+        variants.uniq
+      end
+    end
+  end
+end

data/lib/typosquatting/algorithms/double_hit.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Typosquatting
+  module Algorithms
+    class DoubleHit < Base
+      KEYBOARD_ADJACENT = Replacement::KEYBOARD_ADJACENT
+
+      def generate(package_name)
+        variants = []
+
+        (package_name.length - 1).times do |i|
+          next unless package_name[i] == package_name[i + 1]
+
+          char = package_name[i].downcase
+          adjacent = KEYBOARD_ADJACENT[char] || []
+
+          adjacent.each do |adj_char|
+            variant = package_name[0...i] + adj_char + adj_char + package_name[(i + 2)..]
+            variants << variant
+          end
+        end
+
+        variants.uniq
+      end
+    end
+  end
+end

data/lib/typosquatting/cli.rb

@@ -16,6 +16,8 @@ module Typosquatting
         generate(args)
       when "check"
         check(args)
+      when "discover"
+        discover(args)
       when "confusion"
         confusion(args)
       when "sbom"
@@ -36,13 +38,14 @@ module Typosquatting
     end
 
     def generate(args)
-      options = { format: "text", verbose: false }
+      options = { format: "text", verbose: false, length_filtering: true }
       parser = OptionParser.new do |opts|
         opts.banner = "Usage: typosquatting generate PACKAGE -e ECOSYSTEM [options]"
         opts.on("-e", "--ecosystem ECOSYSTEM", "Package ecosystem (required)") { |v| options[:ecosystem] = v }
         opts.on("-f", "--format FORMAT", "Output format (text, json, csv)") { |v| options[:format] = v }
         opts.on("-v", "--verbose", "Show algorithm for each variant") { options[:verbose] = true }
         opts.on("-a", "--algorithms LIST", "Comma-separated list of algorithms to use") { |v| options[:algorithms] = v }
+        opts.on("--no-length-filter", "Disable length-based algorithm filtering for short names") { options[:length_filtering] = false }
       end
       parser.parse!(args)
 
@@ -55,14 +58,14 @@ module Typosquatting
 
       ecosystem = Ecosystems::Base.get(options[:ecosystem])
       algorithms = select_algorithms(options[:algorithms])
-      generator = Generator.new(ecosystem: ecosystem, algorithms: algorithms)
+      generator = Generator.new(ecosystem: ecosystem, algorithms: algorithms, length_filtering: options[:length_filtering])
       variants = generator.generate(package)
 
       output_variants(variants, options)
     end
 
     def check(args)
-      options = { format: "text", verbose: false, existing_only: false, dry_run: false }
+      options = { format: "text", verbose: false, existing_only: false, dry_run: false, length_filtering: true }
       parser = OptionParser.new do |opts|
         opts.banner = "Usage: typosquatting check PACKAGE -e ECOSYSTEM [options]"
         opts.on("-e", "--ecosystem ECOSYSTEM", "Package ecosystem (required)") { |v| options[:ecosystem] = v }
@@ -71,6 +74,7 @@ module Typosquatting
         opts.on("-a", "--algorithms LIST", "Comma-separated list of algorithms to use") { |v| options[:algorithms] = v }
         opts.on("--existing-only", "Only show packages that exist") { options[:existing_only] = true }
         opts.on("--dry-run", "Show variants without making API calls") { options[:dry_run] = true }
+        opts.on("--no-length-filter", "Disable length-based algorithm filtering for short names") { options[:length_filtering] = false }
       end
       parser.parse!(args)
 
@@ -83,7 +87,7 @@ module Typosquatting
 
       ecosystem = Ecosystems::Base.get(options[:ecosystem])
       algorithms = select_algorithms(options[:algorithms])
-      generator = Generator.new(ecosystem: ecosystem, algorithms: algorithms)
+      generator = Generator.new(ecosystem: ecosystem, algorithms: algorithms, length_filtering: options[:length_filtering])
       variants = generator.generate(package)
 
       if options[:dry_run]
@@ -99,6 +103,39 @@ module Typosquatting
       output_check_results(results, options)
     end
 
+    def discover(args)
+      options = { format: "text", max_distance: 2 }
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: typosquatting discover PACKAGE -e ECOSYSTEM [options]"
+        opts.on("-e", "--ecosystem ECOSYSTEM", "Package ecosystem (required)") { |v| options[:ecosystem] = v }
+        opts.on("-f", "--format FORMAT", "Output format (text, json)") { |v| options[:format] = v }
+        opts.on("-d", "--distance N", Integer, "Maximum edit distance (default: 2)") { |v| options[:max_distance] = v }
+        opts.on("--with-variants", "Also show which generated variants exist") { options[:with_variants] = true }
+      end
+      parser.parse!(args)
+
+      package = args.shift
+      unless package && options[:ecosystem]
+        $stderr.puts "Error: Package name and ecosystem required"
+        $stderr.puts parser
+        exit 1
+      end
+
+      lookup = Lookup.new(ecosystem: options[:ecosystem])
+
+      $stderr.puts "Discovering similar packages to #{package}..." if $stderr.tty?
+      results = lookup.discover(package, max_distance: options[:max_distance])
+
+      if options[:with_variants]
+        generator = Generator.new(ecosystem: options[:ecosystem])
+        variants = generator.generate(package)
+        variant_results = lookup.check_with_variants(package, variants)
+        existing_variants = variant_results.select(&:exists?)
+      end
+
+      output_discover_results(results, existing_variants, options)
+    end
+
     def confusion(args)
       options = { format: "text" }
       parser = OptionParser.new do |opts|
@@ -177,16 +214,17 @@ module Typosquatting
     def ecosystems
       puts "Supported ecosystems:"
       puts ""
-      puts "  pypi      - Python Package Index"
-      puts "  npm       - Node Package Manager"
-      puts "  gem       - RubyGems"
-      puts "  cargo     - Rust packages"
-      puts "  golang    - Go modules"
-      puts "  maven     - Java/JVM packages"
-      puts "  nuget     - .NET packages"
-      puts "  composer  - PHP packages"
-      puts "  hex       - Erlang/Elixir packages"
-      puts "  pub       - Dart packages"
+      puts "  pypi           - Python Package Index"
+      puts "  npm            - Node Package Manager"
+      puts "  gem            - RubyGems"
+      puts "  cargo          - Rust packages"
+      puts "  golang         - Go modules"
+      puts "  maven          - Java/JVM packages"
+      puts "  nuget          - .NET packages"
+      puts "  composer       - PHP packages"
+      puts "  hex            - Erlang/Elixir packages"
+      puts "  pub            - Dart packages"
+      puts "  github_actions - GitHub Actions"
     end
 
     def algorithms
@@ -209,6 +247,7 @@ module Typosquatting
       puts "Commands:"
       puts "  generate PACKAGE -e ECOSYSTEM    Generate typosquat variants"
       puts "  check PACKAGE -e ECOSYSTEM       Check which variants exist"
+      puts "  discover PACKAGE -e ECOSYSTEM    Find similar packages by edit distance"
       puts "  confusion PACKAGE -e ECOSYSTEM   Check for dependency confusion"
       puts "  sbom FILE                        Check SBOM for potential typosquats"
       puts "  ecosystems                       List supported ecosystems"
@@ -219,6 +258,7 @@ module Typosquatting
       puts "Examples:"
       puts "  typosquatting generate requests -e pypi"
       puts "  typosquatting check requests -e pypi --existing-only"
+      puts "  typosquatting discover rails -e gem --with-variants"
       puts "  typosquatting confusion my-package -e maven"
       puts "  typosquatting sbom bom.json"
     end
@@ -376,5 +416,42 @@ module Typosquatting
         puts "Found #{results.length} suspicious package(s)"
       end
     end
+
+    def output_discover_results(discovered, existing_variants, options)
+      case options[:format]
+      when "json"
+        data = {
+          discovered: discovered.map(&:to_h),
+          existing_variants: existing_variants&.map(&:to_h)
+        }.compact
+        puts JSON.pretty_generate(data)
+      else
+        if discovered.empty? && (existing_variants.nil? || existing_variants.empty?)
+          puts "No similar packages found"
+          return
+        end
+
+        if discovered.any?
+          puts "Similar packages found (by edit distance):"
+          puts ""
+          discovered.each do |result|
+            puts "  #{result.name} (distance: #{result.distance})"
+          end
+          puts ""
+        end
+
+        if existing_variants&.any?
+          puts "Generated variants that exist:"
+          puts ""
+          existing_variants.each do |result|
+            puts "  #{result.name}"
+          end
+          puts ""
+        end
+
+        puts "Found #{discovered.length} similar package(s)"
+        puts "Found #{existing_variants.length} existing variant(s)" if existing_variants&.any?
+      end
+    end
   end
 end

data/lib/typosquatting/ecosystems/github_actions.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+module Typosquatting
+  module Ecosystems
+    class GithubActions < Base
+      def initialize
+        super
+        @name = "github_actions"
+        @purl_type = "github"
+      end
+
+      def name_pattern
+        /\A[a-zA-Z0-9][a-zA-Z0-9-]*\/[a-zA-Z0-9._-]+\z/
+      end
+
+      def allowed_characters
+        /[a-zA-Z0-9._-]/
+      end
+
+      def allowed_delimiters
+        %w[- _ .]
+      end
+
+      def case_sensitive?
+        false
+      end
+
+      def supports_namespaces?
+        true
+      end
+
+      def normalise(name)
+        name.downcase.sub(/@.*$/, "")
+      end
+
+      def parse_namespace(name)
+        clean_name = name.sub(/@.*$/, "")
+        parts = clean_name.split("/", 2)
+        if parts.length == 2
+          [parts[0], parts[1]]
+        else
+          [nil, name]
+        end
+      end
+
+      def valid_name?(name)
+        return false if name.nil? || name.empty?
+
+        clean_name = name.sub(/@.*$/, "")
+        owner, repo = parse_namespace(clean_name)
+
+        return false if owner.nil? || repo.nil?
+        return false if owner.empty? || repo.empty?
+
+        return false unless valid_owner?(owner)
+        return false unless valid_repo?(repo)
+
+        true
+      end
+
+      def format_name(owner, repo)
+        "#{owner}/#{repo}"
+      end
+
+      def valid_owner?(owner)
+        return false if owner.length > 39
+        return false if owner.start_with?("-")
+        return false if owner.end_with?("-")
+        return false if owner.include?("--")
+
+        !!(owner =~ /\A[a-zA-Z0-9][a-zA-Z0-9-]*\z/)
+      end
+
+      def valid_repo?(repo)
+        return false if repo.length > 100
+        return false if repo.start_with?(".")
+
+        !!(repo =~ /\A[a-zA-Z0-9._-]+\z/)
+      end
+    end
+
+    Base.register(GithubActions.new)
+  end
+end

data/lib/typosquatting/ecosystems/golang.rb

@@ -49,6 +49,10 @@ module Typosquatting
 
         !!(name =~ name_pattern)
       end
+
+      def format_name(namespace, name)
+        "#{namespace}/#{name}"
+      end
     end
 
     Base.register(Golang.new)

data/lib/typosquatting/ecosystems/npm.rb

@@ -59,6 +59,14 @@ module Typosquatting
 
         true
       end
+
+      def format_name(namespace, name)
+        if namespace
+          "#{namespace}/#{name}"
+        else
+          name
+        end
+      end
     end
 
     Base.register(Npm.new)

data/lib/typosquatting/generator.rb

@@ -2,17 +2,47 @@
 
 module Typosquatting
   class Generator
-    attr_reader :ecosystem, :algorithms
+    SHORT_NAME_THRESHOLD = 5
 
-    def initialize(ecosystem:, algorithms: nil)
+    HIGH_CONFIDENCE_ALGORITHMS = %w[
+      homoglyph
+      repetition
+      replacement
+      transposition
+    ].freeze
+
+    attr_reader :ecosystem, :algorithms, :length_filtering
+
+    def initialize(ecosystem:, algorithms: nil, length_filtering: true)
       @ecosystem = ecosystem.is_a?(String) ? Ecosystems::Base.get(ecosystem) : ecosystem
       @algorithms = algorithms || Algorithms::Base.all
+      @length_filtering = length_filtering
     end
 
     def generate(package_name)
       results = []
 
-      algorithms.each do |algorithm|
+      if ecosystem.supports_namespaces?
+        results.concat(generate_namespace_aware(package_name))
+      else
+        results.concat(generate_simple(package_name))
+      end
+
+      dedupe_by_normalised_name(results)
+    end
+
+    def algorithms_for_length(name_length)
+      return algorithms unless length_filtering
+      return algorithms if name_length >= SHORT_NAME_THRESHOLD
+
+      algorithms.select { |a| HIGH_CONFIDENCE_ALGORITHMS.include?(a.name) }
+    end
+
+    def generate_simple(package_name)
+      results = []
+      active_algorithms = algorithms_for_length(package_name.length)
+
+      active_algorithms.each do |algorithm|
         variants = algorithm.generate(package_name)
         variants.each do |variant|
           next if variant == package_name
@@ -27,7 +57,59 @@ module Typosquatting
         end
       end
 
-      dedupe_by_normalised_name(results)
+      results
+    end
+
+    def generate_namespace_aware(package_name)
+      namespace, name = ecosystem.parse_namespace(package_name)
+      results = []
+
+      return generate_simple(package_name) if namespace.nil?
+
+      namespace_algorithms = algorithms_for_length(namespace.length)
+      name_algorithms = algorithms_for_length(name.length)
+
+      namespace_algorithms.each do |algorithm|
+        namespace_variants = algorithm.generate(namespace)
+        namespace_variants.each do |ns_variant|
+          full_name = rebuild_namespaced_name(ns_variant, name)
+          next if full_name == package_name
+          next unless ecosystem.valid_name?(full_name)
+          next if same_after_normalisation?(package_name, full_name)
+
+          results << Variant.new(
+            name: full_name,
+            algorithm: algorithm.name,
+            original: package_name
+          )
+        end
+      end
+
+      name_algorithms.each do |algorithm|
+        name_variants = algorithm.generate(name)
+        name_variants.each do |name_variant|
+          full_name = rebuild_namespaced_name(namespace, name_variant)
+          next if full_name == package_name
+          next unless ecosystem.valid_name?(full_name)
+          next if same_after_normalisation?(package_name, full_name)
+
+          results << Variant.new(
+            name: full_name,
+            algorithm: algorithm.name,
+            original: package_name
+          )
+        end
+      end
+
+      results
+    end
+
+    def rebuild_namespaced_name(namespace, name)
+      if ecosystem.respond_to?(:format_name)
+        ecosystem.format_name(namespace, name)
+      else
+        "#{namespace}/#{name}"
+      end
     end
 
     Variant = Struct.new(:name, :algorithm, :original, keyword_init: true) do

data/lib/typosquatting/lookup.rb

@@ -4,6 +4,7 @@ require "net/http"
 require "json"
 require "uri"
 require "purl"
+require "set"
 
 module Typosquatting
   class Lookup
@@ -51,6 +52,92 @@ module Typosquatting
       response&.map { |r| Registry.new(r) } || []
     end
 
+    def list_names(registry:, prefix: nil, postfix: nil)
+      params = []
+      params << "prefix=#{URI.encode_www_form_component(prefix)}" if prefix
+      params << "postfix=#{URI.encode_www_form_component(postfix)}" if postfix
+      query = params.empty? ? "" : "?#{params.join("&")}"
+
+      fetch("/registries/#{URI.encode_www_form_component(registry)}/package_names#{query}") || []
+    end
+
+    def discover(package_name, max_distance: 2)
+      registry = registries.first
+      return [] unless registry
+
+      prefix = package_name[0, 3]
+      candidates = list_names(registry: registry.name, prefix: prefix)
+
+      candidates.filter_map do |candidate|
+        next if candidate == package_name
+
+        distance = levenshtein(package_name.downcase, candidate.downcase)
+        next if distance > max_distance || distance == 0
+
+        DiscoveryResult.new(
+          name: candidate,
+          target: package_name,
+          distance: distance
+        )
+      end.sort_by(&:distance)
+    end
+
+    def check_with_variants(package_name, variants)
+      registry = registries.first
+      return [] unless registry
+
+      prefix = package_name[0, 3]
+      existing = list_names(registry: registry.name, prefix: prefix)
+      existing_set = existing.map(&:downcase).to_set
+
+      variant_names = variants.map { |v| v.is_a?(String) ? v : v.name }
+
+      variant_names.filter_map do |variant|
+        exists = existing_set.include?(variant.downcase)
+        VariantCheckResult.new(
+          name: variant,
+          exists: exists
+        )
+      end
+    end
+
+    def levenshtein(s1, s2)
+      m, n = s1.length, s2.length
+      return n if m == 0
+      return m if n == 0
+
+      d = Array.new(m + 1) { |i| i }
+      x = nil
+
+      (1..n).each do |j|
+        d[0] = j
+        x = j - 1
+
+        (1..m).each do |i|
+          cost = s1[i - 1] == s2[j - 1] ? 0 : 1
+          x, d[i] = d[i], [d[i] + 1, d[i - 1] + 1, x + cost].min
+        end
+      end
+
+      d[m]
+    end
+
+    DiscoveryResult = Struct.new(:name, :target, :distance, keyword_init: true) do
+      def to_h
+        { name: name, target: target, distance: distance }
+      end
+    end
+
+    VariantCheckResult = Struct.new(:name, :exists, keyword_init: true) do
+      def exists?
+        exists
+      end
+
+      def to_h
+        { name: name, exists: exists }
+      end
+    end
+
     Result = Struct.new(:name, :purl, :packages, :ecosystem, keyword_init: true) do
       def exists?
         !packages.empty?

data/lib/typosquatting/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Typosquatting
-  VERSION = "0.1.0"
+  VERSION = "0.3.0"
 end

data/lib/typosquatting.rb

@@ -15,6 +15,10 @@ require_relative "typosquatting/algorithms/word_order"
 require_relative "typosquatting/algorithms/plural"
 require_relative "typosquatting/algorithms/misspelling"
 require_relative "typosquatting/algorithms/numeral"
+require_relative "typosquatting/algorithms/bitflip"
+require_relative "typosquatting/algorithms/adjacent_insertion"
+require_relative "typosquatting/algorithms/double_hit"
+require_relative "typosquatting/algorithms/combosquatting"
 
 require_relative "typosquatting/ecosystems/base"
 require_relative "typosquatting/ecosystems/pypi"
@@ -27,6 +31,7 @@ require_relative "typosquatting/ecosystems/nuget"
 require_relative "typosquatting/ecosystems/composer"
 require_relative "typosquatting/ecosystems/hex"
 require_relative "typosquatting/ecosystems/pub"
+require_relative "typosquatting/ecosystems/github_actions"
 
 require_relative "typosquatting/generator"
 require_relative "typosquatting/lookup"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: typosquatting
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -55,8 +55,12 @@ files:
 - exe/typosquatting
 - lib/typosquatting.rb
 - lib/typosquatting/algorithms/addition.rb
+- lib/typosquatting/algorithms/adjacent_insertion.rb
 - lib/typosquatting/algorithms/base.rb
+- lib/typosquatting/algorithms/bitflip.rb
+- lib/typosquatting/algorithms/combosquatting.rb
 - lib/typosquatting/algorithms/delimiter.rb
+- lib/typosquatting/algorithms/double_hit.rb
 - lib/typosquatting/algorithms/homoglyph.rb
 - lib/typosquatting/algorithms/misspelling.rb
 - lib/typosquatting/algorithms/numeral.rb
@@ -72,6 +76,7 @@ files:
 - lib/typosquatting/ecosystems/base.rb
 - lib/typosquatting/ecosystems/cargo.rb
 - lib/typosquatting/ecosystems/composer.rb
+- lib/typosquatting/ecosystems/github_actions.rb
 - lib/typosquatting/ecosystems/golang.rb
 - lib/typosquatting/ecosystems/hex.rb
 - lib/typosquatting/ecosystems/maven.rb