In March 2023, I started working at the Rust Foundation as a developer focused on ecosystem security, funded by Alpha-Omega. From the start, my primary focus has been on better securing Rust’s crate (package) ecosystem: detecting malware, developing best practices, and so on.
Among many other things, I was soon pointed to work Dan Gardner, then at AWS, had done to detect typosquatted crate names. (Quite possibly by Dan himself, but time has robbed me of the exact details. My apologies if I am crediting the wrong person.) As soon as I saw that work, and the original paper presenting typogard, I knew that it was critical that we include typosquatting detection in the crates.io publication pipeline.
(As a sidebar: it turned out that crates.io had an issue suggesting this from 2017, which I’m embarrassed to admit that I didn’t see until rather late in the process.)
The reason is that crates.io has a flat namespace, and as such is particularly vulnerable to typosquatting attacks: it’s easy for the inattentive developer to cargo add serd when they meant to cargo add serde, and suddenly find themselves with something quite different to the serialisation library they’d intended to add.
At the end of August 2023, I began experimenting with a proof of concept that integrated typosquatting checks into crates.io. The first step, since the crates.io backend is unsurprisingly written in Rust, was to port Dan’s typogard-crates Python tool into a Rust crate called typomania.
After that, I implemented a new background job into crates.io that is triggered by the publication of a new crate, and opened a (then-draft) pull request to crates.io. (As it happened, this PR also eventually fulfilled a long standing request around typosquatting in the crates.io repository that I was unaware of until much later in the process than I should have been.)
The crates.io team — especially team lead Tobias Bieniek — provided excellent feedback and support, and after discussions, agreed to ship it as an experiment in November 2023, with reports going to myself and Walter Pearce, my security engineer colleague at the Rust Foundation (whose position is also funded by Alpha-Omega!).
I’m pleased to report that, almost 18 months later, the typosquatting checks have found four malicious crates right as they were published, allowing us to respond almost immediately to take the crates down before they saw any actual use. We’ve also been able to expand the scope of the checks over this time based on crates that have evaded the typosquatting checks in various forms and been detected by other methods and/or reported by community members, making these checks more robust and sensitive.
Supply chain security — especially in the context of packaging — requires many layers of defence, and typosquatting checks are only one of them. Our experience is that they have provided a low overhead additional check that has produced real results, with minimal maintenance or performance overhead to crates.io, and we’re looking forward to continuing to develop and integrate these layers to improve the security of the Rust ecosystem in the coming years.
