typosquatting 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 57ce19f59014bac56c5922b53d59c794ef8b55c3ff13cde363db2bef133aff23
-  data.tar.gz: facd26dd6b71803eadfb0c2395f7a0a1249d25992c38d5cf07a15a255de91d69
+  metadata.gz: fc18d0104e41766e5b0b8603d786cde1ff74f7b65360509a8d880732b1d5f6ca
+  data.tar.gz: fb48d984d14196d0ccdb2765ee14d986f614d9d1285c329fe6b57d8fe1cb35a6
 SHA512:
-  metadata.gz: f1de5348e69ee48a5eadcd7fccc310b5f7224f888e84a69bac5ba5fd6bd7d01a64638650834e39ad9f7c55083ec6dd9b3613ed83aefe6019724325a5fcf3b07d
-  data.tar.gz: 40fe04d1f03d7917bac5663a5a22f90b0bfef24307f9656d9401cb77dbff710f332de4c15c7165a564f81ca6a701ea783fd26ceea335b09309260d1526dc87ef
+  metadata.gz: 0b9103d71382bbdfb8af88843a4c73d0abf99a65da6b494027c21d3327eb31f8261545c95514dd0bd4b35b7f681c54d70e4a1abb819d9ac020fcceebd96784d5
+  data.tar.gz: 122e21bf9b46b6379ea2d925998797161020500e56d440f916a43f995faf4865bad5d60cd5077e2e2d33ebc6cd4aa9046af9e419ac02a39729a156fb016376cf

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 ## [Unreleased]
 
+## [0.4.0] - 2026-01-02
+
+- Skip intra-namespace typosquats for scoped packages (npm, composer, golang) since namespace owners control all packages under their namespace
+- Add Dockerfile for running without Ruby installed
+
+## [0.3.0] - 2025-12-17
+
+- Add `discover` command to find existing similar packages by edit distance using prefix/postfix API
+
 ## [0.2.0] - 2025-12-17
 
 - Add GitHub Actions ecosystem for CI/CD workflow typosquatting detection

data/Dockerfile

@@ -0,0 +1,5 @@
+FROM ruby:3.4-alpine
+
+RUN gem install typosquatting
+
+ENTRYPOINT ["typosquatting"]

data/README.md

@@ -31,6 +31,19 @@ Or add to your Gemfile:
 gem "typosquatting"
 ```
 
+Or run with Docker:
+
+```bash
+docker build -t typosquatting .
+docker run --rm typosquatting generate requests -e pypi
+```
+
+For commands that read local files (like `sbom`), mount your directory:
+
+```bash
+docker run --rm -v $PWD:/src typosquatting sbom /src/bom.json
+```
+
 ## CLI Usage
 
 ```bash
@@ -69,6 +82,12 @@ typosquatting check requests -e pypi -f json
 
 # List available algorithms
 typosquatting algorithms
+
+# Discover existing packages similar to a target (by edit distance)
+typosquatting discover requests -e pypi
+
+# Discover with generated variants check
+typosquatting discover requests -e pypi --with-variants
 ```
 
 ## Example Output
@@ -204,10 +223,58 @@ Package lookups use the [ecosyste.ms](https://packages.ecosyste.ms) API. Request
 
 Be mindful when checking many packages. The `--dry-run` flag shows what would be checked without making API calls.
 
+### packages.ecosyste.ms API
+
+The package_names endpoint can help identify potential typosquats by searching for packages with similar prefixes or postfixes to popular package names.
+
+```
+GET /api/v1/registries/{registry}/package_names
+```
+
+**Parameters:**
+- `prefix` - filter by package names starting with string (case insensitive)
+- `postfix` - filter by package names ending with string (case insensitive)
+- `page`, `per_page` - pagination
+- `sort`, `order` - sorting
+
+**Examples:**
+```
+# Find RubyGems packages ending in "ails" (potential "rails" typosquats)
+https://packages.ecosyste.ms/api/v1/registries/rubygems.org/package_names?postfix=ails
+
+# Find RubyGems packages starting with "rai" (potential "rails" typosquats)
+https://packages.ecosyste.ms/api/v1/registries/rubygems.org/package_names?prefix=rai
+
+# Find npm packages starting with "reac" (potential "react" typosquats)
+https://packages.ecosyste.ms/api/v1/registries/npmjs.org/package_names?prefix=reac
+```
+
+Full API documentation: [packages.ecosyste.ms/docs](https://packages.ecosyste.ms/docs)
+
 ## Dataset
 
 The [ecosyste-ms/typosquatting-dataset](https://github.com/ecosyste-ms/typosquatting-dataset) contains 143 confirmed typosquatting attacks from security research, mapping malicious packages to their targets with classification and source attribution. Useful for testing detection tools and understanding real attack patterns.
 
+## Research
+
+The `research/` directory contains a script to scan "critical" packages (high OpenSSF criticality score) for potential typosquats:
+
+```bash
+# Scan critical RubyGems packages
+ruby research/critical_packages.rb rubygems.org
+
+# Scan npm
+ruby research/critical_packages.rb npmjs.org
+
+# Include all algorithms (default is high-confidence only)
+ruby research/critical_packages.rb rubygems.org --all
+
+# Limit to first N packages for testing
+ruby research/critical_packages.rb rubygems.org --limit=100
+```
+
+The script generates variants using all library algorithms, checks which exist on the registry, and outputs a CSV with download counts, creation dates, repository URLs, and package status. It filters out packages that predate the target (can't be typosquats), packages with high download ratios (likely legitimate), and flags packages that have been removed (confirmed typosquats).
+
 ## Development
 
 ```bash

data/lib/typosquatting/cli.rb

@@ -16,6 +16,8 @@ module Typosquatting
         generate(args)
       when "check"
         check(args)
+      when "discover"
+        discover(args)
       when "confusion"
         confusion(args)
       when "sbom"
@@ -101,6 +103,39 @@ module Typosquatting
       output_check_results(results, options)
     end
 
+    def discover(args)
+      options = { format: "text", max_distance: 2 }
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: typosquatting discover PACKAGE -e ECOSYSTEM [options]"
+        opts.on("-e", "--ecosystem ECOSYSTEM", "Package ecosystem (required)") { |v| options[:ecosystem] = v }
+        opts.on("-f", "--format FORMAT", "Output format (text, json)") { |v| options[:format] = v }
+        opts.on("-d", "--distance N", Integer, "Maximum edit distance (default: 2)") { |v| options[:max_distance] = v }
+        opts.on("--with-variants", "Also show which generated variants exist") { options[:with_variants] = true }
+      end
+      parser.parse!(args)
+
+      package = args.shift
+      unless package && options[:ecosystem]
+        $stderr.puts "Error: Package name and ecosystem required"
+        $stderr.puts parser
+        exit 1
+      end
+
+      lookup = Lookup.new(ecosystem: options[:ecosystem])
+
+      $stderr.puts "Discovering similar packages to #{package}..." if $stderr.tty?
+      results = lookup.discover(package, max_distance: options[:max_distance])
+
+      if options[:with_variants]
+        generator = Generator.new(ecosystem: options[:ecosystem])
+        variants = generator.generate(package)
+        variant_results = lookup.check_with_variants(package, variants)
+        existing_variants = variant_results.select(&:exists?)
+      end
+
+      output_discover_results(results, existing_variants, options)
+    end
+
     def confusion(args)
       options = { format: "text" }
       parser = OptionParser.new do |opts|
@@ -212,6 +247,7 @@ module Typosquatting
       puts "Commands:"
       puts "  generate PACKAGE -e ECOSYSTEM    Generate typosquat variants"
       puts "  check PACKAGE -e ECOSYSTEM       Check which variants exist"
+      puts "  discover PACKAGE -e ECOSYSTEM    Find similar packages by edit distance"
       puts "  confusion PACKAGE -e ECOSYSTEM   Check for dependency confusion"
       puts "  sbom FILE                        Check SBOM for potential typosquats"
       puts "  ecosystems                       List supported ecosystems"
@@ -222,6 +258,7 @@ module Typosquatting
       puts "Examples:"
       puts "  typosquatting generate requests -e pypi"
       puts "  typosquatting check requests -e pypi --existing-only"
+      puts "  typosquatting discover rails -e gem --with-variants"
       puts "  typosquatting confusion my-package -e maven"
       puts "  typosquatting sbom bom.json"
     end
@@ -379,5 +416,42 @@ module Typosquatting
         puts "Found #{results.length} suspicious package(s)"
       end
     end
+
+    def output_discover_results(discovered, existing_variants, options)
+      case options[:format]
+      when "json"
+        data = {
+          discovered: discovered.map(&:to_h),
+          existing_variants: existing_variants&.map(&:to_h)
+        }.compact
+        puts JSON.pretty_generate(data)
+      else
+        if discovered.empty? && (existing_variants.nil? || existing_variants.empty?)
+          puts "No similar packages found"
+          return
+        end
+
+        if discovered.any?
+          puts "Similar packages found (by edit distance):"
+          puts ""
+          discovered.each do |result|
+            puts "  #{result.name} (distance: #{result.distance})"
+          end
+          puts ""
+        end
+
+        if existing_variants&.any?
+          puts "Generated variants that exist:"
+          puts ""
+          existing_variants.each do |result|
+            puts "  #{result.name}"
+          end
+          puts ""
+        end
+
+        puts "Found #{discovered.length} similar package(s)"
+        puts "Found #{existing_variants.length} existing variant(s)" if existing_variants&.any?
+      end
+    end
   end
 end

data/lib/typosquatting/ecosystems/base.rb

@@ -40,6 +40,10 @@ module Typosquatting
         false
       end
 
+      def namespace_controls_members?
+        true
+      end
+
       def parse_namespace(name)
         [nil, name]
       end

data/lib/typosquatting/generator.rb

@@ -85,19 +85,21 @@ module Typosquatting
         end
       end
 
-      name_algorithms.each do |algorithm|
-        name_variants = algorithm.generate(name)
-        name_variants.each do |name_variant|
-          full_name = rebuild_namespaced_name(namespace, name_variant)
-          next if full_name == package_name
-          next unless ecosystem.valid_name?(full_name)
-          next if same_after_normalisation?(package_name, full_name)
-
-          results << Variant.new(
-            name: full_name,
-            algorithm: algorithm.name,
-            original: package_name
-          )
+      unless ecosystem.namespace_controls_members?
+        name_algorithms.each do |algorithm|
+          name_variants = algorithm.generate(name)
+          name_variants.each do |name_variant|
+            full_name = rebuild_namespaced_name(namespace, name_variant)
+            next if full_name == package_name
+            next unless ecosystem.valid_name?(full_name)
+            next if same_after_normalisation?(package_name, full_name)
+
+            results << Variant.new(
+              name: full_name,
+              algorithm: algorithm.name,
+              original: package_name
+            )
+          end
         end
       end
 

data/lib/typosquatting/lookup.rb

@@ -4,6 +4,7 @@ require "net/http"
 require "json"
 require "uri"
 require "purl"
+require "set"
 
 module Typosquatting
   class Lookup
@@ -51,6 +52,119 @@ module Typosquatting
       response&.map { |r| Registry.new(r) } || []
     end
 
+    def list_names(registry:, prefix: nil, postfix: nil, critical: nil, page: nil, per_page: nil)
+      params = []
+      params << "prefix=#{URI.encode_www_form_component(prefix)}" if prefix
+      params << "postfix=#{URI.encode_www_form_component(postfix)}" if postfix
+      params << "critical=true" if critical
+      params << "page=#{page}" if page
+      params << "per_page=#{per_page}" if per_page
+      query = params.empty? ? "" : "?#{params.join("&")}"
+
+      fetch("/registries/#{URI.encode_www_form_component(registry)}/package_names#{query}") || []
+    end
+
+    def list_all_names(registry:, prefix: nil, postfix: nil, critical: nil, per_page: 100)
+      all_names = []
+      page = 1
+
+      loop do
+        names = list_names(
+          registry: registry,
+          prefix: prefix,
+          postfix: postfix,
+          critical: critical,
+          page: page,
+          per_page: per_page
+        )
+        break if names.empty?
+
+        all_names.concat(names)
+        break if names.length < per_page
+
+        page += 1
+      end
+
+      all_names
+    end
+
+    def discover(package_name, max_distance: 2)
+      registry = registries.first
+      return [] unless registry
+
+      prefix = package_name[0, 3]
+      candidates = list_names(registry: registry.name, prefix: prefix)
+
+      candidates.filter_map do |candidate|
+        next if candidate == package_name
+
+        distance = levenshtein(package_name.downcase, candidate.downcase)
+        next if distance > max_distance || distance == 0
+
+        DiscoveryResult.new(
+          name: candidate,
+          target: package_name,
+          distance: distance
+        )
+      end.sort_by(&:distance)
+    end
+
+    def check_with_variants(package_name, variants)
+      registry = registries.first
+      return [] unless registry
+
+      prefix = package_name[0, 3]
+      existing = list_names(registry: registry.name, prefix: prefix)
+      existing_set = existing.map(&:downcase).to_set
+
+      variant_names = variants.map { |v| v.is_a?(String) ? v : v.name }
+
+      variant_names.filter_map do |variant|
+        exists = existing_set.include?(variant.downcase)
+        VariantCheckResult.new(
+          name: variant,
+          exists: exists
+        )
+      end
+    end
+
+    def levenshtein(s1, s2)
+      m, n = s1.length, s2.length
+      return n if m == 0
+      return m if n == 0
+
+      d = Array.new(m + 1) { |i| i }
+      x = nil
+
+      (1..n).each do |j|
+        d[0] = j
+        x = j - 1
+
+        (1..m).each do |i|
+          cost = s1[i - 1] == s2[j - 1] ? 0 : 1
+          x, d[i] = d[i], [d[i] + 1, d[i - 1] + 1, x + cost].min
+        end
+      end
+
+      d[m]
+    end
+
+    DiscoveryResult = Struct.new(:name, :target, :distance, keyword_init: true) do
+      def to_h
+        { name: name, target: target, distance: distance }
+      end
+    end
+
+    VariantCheckResult = Struct.new(:name, :exists, keyword_init: true) do
+      def exists?
+        exists
+      end
+
+      def to_h
+        { name: name, exists: exists }
+      end
+    end
+
     Result = Struct.new(:name, :purl, :packages, :ecosystem, keyword_init: true) do
       def exists?
         !packages.empty?

data/lib/typosquatting/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Typosquatting
-  VERSION = "0.2.0"
+  VERSION = "0.4.0"
 end

data/research/README.md

@@ -0,0 +1,74 @@
+# Typosquatting Research Tools
+
+Scripts for analyzing potential typosquats across package registries.
+
+## critical_packages.rb
+
+Scans critical packages (high OpenSSF criticality score) from a registry for potential typosquats using our detection algorithms. Results are written to a timestamped CSV file.
+
+```bash
+# Scan rubygems.org critical packages (high-confidence algorithms only)
+ruby research/critical_packages.rb rubygems.org
+
+# Include all algorithm matches
+ruby research/critical_packages.rb rubygems.org --all
+
+# Limit to first N packages (useful for testing)
+ruby research/critical_packages.rb rubygems.org --limit=100
+```
+
+Supported registries: rubygems.org, npmjs.org, pypi.org, crates.io, packagist.org, hex.pm, pub.dev, proxy.golang.org, repo1.maven.org, nuget.org
+
+## Algorithms
+
+By default, only high-confidence algorithms are used (less likely to produce false positives):
+
+- homoglyph - lookalike characters (l vs 1, O vs 0)
+- repetition - doubled characters (lodash vs llodash)
+- replacement - adjacent keyboard keys (lodash vs lodazh)
+- transposition - swapped adjacent characters (lodash vs lodasj)
+- omission - dropped characters (lodash vs lodas)
+
+Use `--all` to include all 17 algorithms.
+
+## Filters
+
+The script applies several filters to reduce false positives:
+
+- **Short names**: Packages under 5 characters are skipped (too many false positives)
+- **Higher downloads**: Packages with more downloads than the critical package are skipped (not typosquats)
+- **Popular packages**: Packages with >= 1% of the critical package's downloads are skipped (likely legitimate)
+- **Predates target**: Packages created before the critical package are skipped (can't be typosquats)
+
+## CSV Output
+
+Output files are named `{registry}_{timestamp}.csv` with these columns:
+
+| Column | Description |
+|--------|-------------|
+| critical_package | The critical package being checked |
+| critical_downloads | Total downloads of the critical package |
+| critical_created | First release date of the critical package |
+| critical_repo | Repository URL of the critical package |
+| potential_typosquat | A similarly named package that exists |
+| algorithm | Which detection algorithm matched |
+| squat_downloads | Total downloads of the potential typosquat |
+| download_ratio | Squat downloads as percentage of critical downloads |
+| squat_created | First release date of the potential typosquat |
+| squat_status | Package status (empty = active, "removed" = yanked) |
+| squat_repo | Repository URL of the potential typosquat |
+| squat_description | Package description |
+
+## Interpreting Results
+
+Signs of a real typosquat:
+- `squat_status` is "removed" (already yanked by registry)
+- No repository URL
+- Very low download ratio
+- Description is empty or generic
+- Created shortly after the critical package became popular
+
+Signs of a false positive:
+- Has a legitimate repository with real code
+- Description describes unrelated functionality
+- Reasonable download count for its purpose

data/research/critical_packages.rb

@@ -0,0 +1,282 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "typosquatting"
+require "csv"
+
+class CriticalPackageScanner
+  SHORT_NAME_THRESHOLD = 5
+  POPULAR_RATIO_THRESHOLD = 1.0 # Skip squats with >= 1% of critical package downloads
+
+  REGISTRY_MAP = {
+    "rubygems.org" => "rubygems",
+    "npmjs.org" => "npm",
+    "pypi.org" => "pypi",
+    "crates.io" => "cargo",
+    "packagist.org" => "composer",
+    "hex.pm" => "hex",
+    "pub.dev" => "pub",
+    "proxy.golang.org" => "golang",
+    "repo1.maven.org" => "maven",
+    "nuget.org" => "nuget"
+  }.freeze
+
+  # High confidence algorithms that indicate likely intentional typosquatting
+  HIGH_CONFIDENCE_ALGORITHMS = %w[
+    homoglyph
+    repetition
+    replacement
+    transposition
+    omission
+  ].freeze
+
+  attr_reader :registry, :results, :errors, :high_confidence_only, :limit
+
+  def initialize(registry:, high_confidence_only: true, limit: nil)
+    @registry = registry
+    @high_confidence_only = high_confidence_only
+    @limit = limit
+    @results = []
+    @errors = []
+    @prefix_cache = {}
+  end
+
+  def run
+    packages = fetch_critical_packages
+    puts "Found #{packages.length} critical packages for #{registry}"
+    puts
+
+    packages.each_with_index do |package, index|
+      scan_package(package, index + 1, packages.length)
+    end
+
+    write_csv
+    print_summary
+  end
+
+  def fetch_critical_packages
+    packages = lookup.list_all_names(registry: registry, critical: true, per_page: 1000)
+    limit ? packages.first(limit) : packages
+  end
+
+  def scan_package(package_name, current, total)
+    print "\r[#{current}/#{total}] Scanning #{package_name.ljust(40)}"
+
+    # Skip short names - too many false positives
+    return if package_name.length < SHORT_NAME_THRESHOLD
+
+    # Generate typosquatting variants using our algorithms
+    variants = generator.generate(package_name)
+    return if variants.empty?
+
+    # Fetch details for the critical package first (needed for download/date comparison)
+    critical_details = fetch_package_details(package_name)
+    @current_critical_downloads = critical_details&.dig("downloads") || 0
+    @current_critical_created = critical_details&.dig("first_release_published_at")
+
+    # Check which variants exist on the registry
+    existing = check_variants_exist(package_name, variants)
+    return if existing.empty?
+
+    results << {
+      package: package_name,
+      critical_details: critical_details,
+      matches: existing
+    }
+  rescue Typosquatting::APIError => e
+    errors << { package: package_name, error: e.message }
+  rescue StandardError => e
+    errors << { package: package_name, error: e.message }
+  end
+
+  def check_variants_exist(package_name, variants)
+    # Filter to high-confidence algorithms if requested
+    if high_confidence_only
+      variants = variants.select { |v| HIGH_CONFIDENCE_ALGORITHMS.include?(v.algorithm) }
+    end
+
+    # Group variants by prefix for efficient lookup
+    variants_by_prefix = variants.group_by { |v| v.name[0, 3] }
+
+    existing = []
+    variants_by_prefix.each do |prefix, prefix_variants|
+      @prefix_cache[prefix] ||= lookup.list_names(registry: registry, prefix: prefix)
+      existing_set = @prefix_cache[prefix].map(&:downcase).to_set
+
+      prefix_variants.each do |variant|
+        if existing_set.include?(variant.name.downcase) && variant.name.downcase != package_name.downcase
+          # Fetch package details
+          details = fetch_package_details(variant.name)
+          squat_downloads = details&.dig("downloads") || 0
+          squat_created = details&.dig("first_release_published_at")
+
+          # Skip if squat has more downloads than critical package - not a squat
+          next if squat_downloads > @current_critical_downloads
+
+          # Skip if squat is too popular (likely legitimate)
+          if @current_critical_downloads > 0
+            ratio = squat_downloads.to_f / @current_critical_downloads * 100
+            next if ratio >= POPULAR_RATIO_THRESHOLD
+          end
+
+          # Skip if squat predates the critical package (can't be a typosquat)
+          if squat_created && @current_critical_created
+            next if squat_created < @current_critical_created
+          end
+
+          existing << {
+            variant: variant,
+            description: details&.dig("description"),
+            repository_url: details&.dig("repository_url"),
+            downloads: squat_downloads,
+            first_release: squat_created,
+            status: details&.dig("status")
+          }
+        end
+      end
+    end
+
+    existing
+  end
+
+  def fetch_package_details(package_name)
+    result = lookup.check(package_name)
+    result.packages.first
+  rescue StandardError
+    nil
+  end
+
+  def generator
+    @generator ||= Typosquatting::Generator.new(ecosystem: ecosystem_for_registry)
+  end
+
+  def lookup
+    @lookup ||= Typosquatting::Lookup.new(ecosystem: ecosystem_for_registry)
+  end
+
+  def ecosystem_for_registry
+    REGISTRY_MAP[registry] || "rubygems"
+  end
+
+  def output_filename
+    timestamp = Time.now.strftime("%Y%m%d_%H%M%S")
+    "#{registry.gsub(".", "_")}_#{timestamp}.csv"
+  end
+
+  def write_csv
+    return if results.empty?
+
+    filename = output_filename
+    filepath = File.join(__dir__, filename)
+
+    CSV.open(filepath, "w") do |csv|
+      csv << [
+        "critical_package", "critical_downloads", "critical_created", "critical_repo",
+        "potential_typosquat", "algorithm", "squat_downloads", "download_ratio", "squat_created", "squat_status", "squat_repo", "squat_description"
+      ]
+
+      results.each do |result|
+        critical = result[:critical_details]
+        critical_downloads = critical&.dig("downloads") || 0
+        result[:matches].each do |match|
+          squat_downloads = match[:downloads] || 0
+          ratio = critical_downloads > 0 ? (squat_downloads.to_f / critical_downloads * 100).round(4) : 0
+
+          csv << [
+            result[:package],
+            critical_downloads,
+            critical&.dig("first_release_published_at")&.split("T")&.first,
+            critical&.dig("repository_url"),
+            match[:variant].name,
+            match[:variant].algorithm,
+            squat_downloads,
+            "#{ratio}%",
+            match[:first_release]&.split("T")&.first,
+            match[:status],
+            match[:repository_url],
+            match[:description]&.gsub(/\s+/, " ")&.strip
+          ]
+        end
+      end
+    end
+
+    puts "\n\nResults written to #{filepath}"
+  end
+
+  def print_summary
+    puts "\n"
+    puts "=" * 60
+    puts "Results for #{registry}"
+    puts "=" * 60
+    puts
+
+    if results.empty?
+      puts "No potential typosquats found."
+    else
+      puts "Found #{results.length} critical packages with potential typosquats"
+      puts "Total potential typosquats: #{results.sum { |r| r[:matches].length }}"
+
+      # Algorithm breakdown
+      algo_counts = Hash.new(0)
+      results.each do |result|
+        result[:matches].each { |m| algo_counts[m[:variant].algorithm] += 1 }
+      end
+
+      puts "\nBy algorithm:"
+      algo_counts.sort_by { |_, count| -count }.each do |algo, count|
+        puts "  #{algo}: #{count}"
+      end
+
+      # Flag suspicious packages (no repo, low downloads)
+      suspicious = []
+      results.each do |result|
+        result[:matches].each do |match|
+          if match[:repository_url].nil? || match[:repository_url].to_s.empty?
+            suspicious << "#{match[:variant].name} (no repo, #{match[:downloads] || 0} downloads)"
+          end
+        end
+      end
+
+      if suspicious.any?
+        puts "\nSuspicious (no repository):"
+        suspicious.first(10).each { |s| puts "  #{s}" }
+        puts "  ... and #{suspicious.length - 10} more" if suspicious.length > 10
+      end
+
+      # Flag removed/yanked packages (confirmed typosquats)
+      removed = []
+      results.each do |result|
+        result[:matches].each do |match|
+          if match[:status] == "removed"
+            removed << "#{match[:variant].name} (targeting #{result[:package]})"
+          end
+        end
+      end
+
+      if removed.any?
+        puts "\nConfirmed (already yanked):"
+        removed.first(10).each { |s| puts "  #{s}" }
+        puts "  ... and #{removed.length - 10} more" if removed.length > 10
+      end
+    end
+
+    return if errors.empty?
+
+    puts "\n" + "=" * 60
+    puts "Errors (#{errors.length}):"
+    puts "=" * 60
+    errors.each do |error|
+      puts "  #{error[:package]}: #{error[:error]}"
+    end
+  end
+end
+
+if __FILE__ == $PROGRAM_NAME
+  registry = ARGV[0] || "rubygems.org"
+  high_confidence_only = !ARGV.include?("--all")
+  limit = ARGV.find { |a| a.start_with?("--limit=") }&.split("=")&.last&.to_i
+
+  scanner = CriticalPackageScanner.new(registry: registry, high_confidence_only: high_confidence_only, limit: limit)
+  scanner.run
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: typosquatting
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -49,6 +49,7 @@ extra_rdoc_files: []
 files:
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
+- Dockerfile
 - LICENSE
 - README.md
 - Rakefile
@@ -89,6 +90,8 @@ files:
 - lib/typosquatting/lookup.rb
 - lib/typosquatting/sbom.rb
 - lib/typosquatting/version.rb
+- research/README.md
+- research/critical_packages.rb
 - sig/typosquatting.rbs
 homepage: https://github.com/andrew/typosquatting
 licenses: