Meta question: do we really need a separate post every time someone puts up a typosquatting package on a public repository? These aren’t instances of the package indexes being compromised, or of accounts of legitimate maintainers being compromised, they’re always just people throwing stuff out there in package names they hope someone will be tricked into installing. Which is just a known part of running a public package index. It would only be newsworthy if the index was refusing to take action when these packages get reported, and nobody’s presented evidence of that, at least not that I’m aware of.
It would also be news if a repository figured out how to significantly reduce the frequency of these compromises.
I wonder why they haven’t added a feature where packages with a name that’s one character off from a package with a certain number of monthly downloads require additional verification measures. Maybe there just aren’t enough resources for that sort of review process?
Crafting a set of automatic rules that a) don’t get in the way of good actors, and b) can’t trivially be avoided by bad actors would be really difficult.
I’d rather hear this news, just in case I have such a package in my dependencies. The techniques are also interesting.
This is something that’s more easily fixed with auditing tools in your projects than with hoping someone will post an article on an aggregator you follow; there’s also the fact that the package will just stop installing because it was yanked by the index.
How about trusted pypi, where you can have oss developer trusted/reviewed packages? Go or rust has some proposal on this.