Reply to post: flat namespace is type squatting friendly.

Typo-squatting NPM software supply chain attack uncovered

Anonymous Coward
Anonymous Coward

flat namespace is type squatting friendly.

The predominantly used flat NPM namespace aggravates this problem.

In fact NPM allows a two level namespace <account name>/<package name>

but that is rarely enough used that using it, without also ensuring the rhs <package name>

is unused and claiming it, would be an invitation for a hacker to do so. Therefore,

most developers won't bother with the account name.

IMO - what NPM should do at a minimum is to require all new packages to include the <account name> component.

NPM might also require a two or three character distance difference between any new account and any existing one.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon