Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False positive: Typosquatting

See original GitHub issue

Hi there, first off all: awesome tools you guys made! 🎉 Second, I encountered the following output when scanning a requirements.txt file:

Found 2 potentially malicious indicators in ruamel-yaml version 0.17.21

typosquatting: This package closely ressembles the following package names, and might be a typosquatting attempt: ruamel-yaml, ruamel-yaml

code-execution: found 1 source code matches
  * file executing code at ruamel.yaml-0.17.21/

I do get why the second indicator is found, but the first one confuses me:

The package name (also installed on my machine) is ruamel.yaml. There is no package named ruamel-yaml in either my requirements nor on PyPi. Did something went from with the dots in the package name? Or is it because this package is listed in your typosquatting list as ruamel-yaml?


Issue Analytics

  • State:closed
  • Created 10 months ago
  • Comments:9 (5 by maintainers)

github_iconTop GitHub Comments

QuinceyJamescommented, Dec 9, 2022

Hi! I don’t think that should be an issue since PEP 503 states:

This PEP references the concept of a “normalized” project name. As per PEP 426 the only valid characters in a name are the ASCII alphabet, ASCII numbers, ., -, and _. The name should be lowercased with all runs of the characters ., -, or _ replaced with a single - character.


Repositories MAY redirect unnormalized URLs to the canonical normalized URL (e.g. /Foobar/ may redirect to /foobar/), however clients MUST NOT rely on this redirection and MUST request the normalized URL.

You’ll notice PyPi does redirect all of these to the same site:

But more importantly, PIP does not rely on this redirection and gets the normalized URL thanks to pip._internal.utils.packaging. These utilities can be reused by importing packaging and normalizing the name before running the typosquat algorithm.

HugooBcommented, Dec 12, 2022

Great job @QuinceyJames , thanks for the detailed information!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Fixing False Positives and Duplicate Errors in the ... - GitHub
Problem. If a package has a dot in the name and it is a 'top package', then the typosquatting algorithm reports an error;...
Read more >
What do you need to know about Typosquatting?
The typosquatters guess or track the mistakes people are likely to make while searching the legitimate website and reserve the domain to diversify...
Read more >
What are Typosquatting attacks? - TEHTRIS
Typosquatting is a form of social engineering attack. This technique consists in imitating a legitimate site. It is also called URL hijacking or ......
Read more >
Learning-based Typosquatting Detection at Deeper Domain ...
Typosquatting consists of registering Internet domain names ... monitor the DNS traffic of an ISP, due to a rather high false positive rate...
Read more >
What is typosquatting? A simple but effective attack technique
A typosquatting attack, also known as a URL hijacking, a sting site, or a fake URL, is a type of social engineering where...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found