TH17113
Detected presence of files containing URLs that use typosquatted variations of trusted domains.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. Typosquatting relies on typographical errors than might occur when typing the domain name or a top-level domain (TLD) code the trusted domain is registered under. By predicting common spelling mistakes, attackers can pre-register domains with URLs that the users are likely to visit directly. While presence of typosquatted variations in network references does not imply malicious intent, all instances of this issue should be reviewed for spelling mistakes and typos. An attacker could be controlling the domains the application intends to connect to.
How to resolve the issueโ
- Investigate reported detections.
- If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
- You should delay the software release until the investigation is completed, or until the issue is risk accepted.
- Remove all references to flagged network locations.
Recommended readingโ
- Typosquatting (ReversingLabs glossary)
- Typosquatting campaign delivers r77 rootkit via npm (ReversingLabs blog)