Hacker News new | past | comments | ask | show | jobs | submit login

This is incorrect. Package repositories with namespacing are just as vulnerable to these attacks.


Say that a popular package lives at `jack/foo`. An attacker needs only register `jakc` and create a package `foo`, and now anyone typing `blah install jakc/foo` is owned. There's a reason why "namespacing" isn't listed under the "Defenses against typo squatting" section.

Just read my other reply.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact