NuGet Typosquatting

ID

typosquatting_nuget

Severity

high

Family

Typosquatting

Description

It occurs when the attacker creates a package with a group or name similar to a popular, inducing users to install this package inadvertently. This attack strategy is generic and often used with different build managers, including NuGet.

Security

If the project has the malicious dependency then the code written by the attacker could be executed.

Even the package may contain the same functionality as the original and thus go unnoticed and end up running in a production environment.

Examples

project.assets.json

...
    "Newtansoft.Json/13.0.1": {
        "type": "package",
        "compile": {
          "lib/netstandard2.0/BouncyCastle.Crypto.dll": {}
        },
        "runtime": {
          "lib/netstandard2.0/BouncyCastle.Crypto.dll": {}
        }
    }
...

The Newtansoft.Json package does not exist. The popular package is Newtonsoft.Json.

Mitigation / Fix

Choose the right dependency and be careful when adding new ones.

This tool proposes a popular package to replace the malicious one when it finds such misconfiguration.