Typosquatting: Fake ghrc.io Registry Could Slip Malicious Containers Into Developer Environments
Published
- Discovery: Fake ghrc.io registry mimics GitHub’s legitimate ghcr.io.
- Risk: Developers may unknowingly pull malicious containers from the typo domain.
- Impact: Malicious code could enter pipelines, causing breaches and disruptions.
Researchers highlighted that developers mistakenly pulling images from ghrc.io instead of the legitimate ghcr.io registry may run malicious containers, which is an emerging supply chain threat.
If developers inadvertently pull content from malicious domains, code may seep into production pipelines, infecting applications and potentially causing data breaches or service disruptions.
Domain-Level Typosquatting
Typosquatting is a technique where attackers register domains or package names that resemble legitimate ones, tricking users into trusting them and downloading malicious content.
”In logs or configuration files, ghcr.io and ghrc.io basically look identical at a glance. Developers may not notice the swap until something breaks, or even worse, when the damage is already done,” a Cloudsmith analysis noted, stressing how subtle domain errors in registries can be exploited for malicious purposes.
Implications and Threats
The risk was flagged in a LinkedIn post by Max Jonas Werner, who warned that someone is operating an actual container registry at ghrc.io, potentially stealing credentials. The discussion in developer communities on Hacker News, had users debating the implications and shared mitigation strategies.
“Registering a lookalike domain – like ghrc.io instead of ghcr.io – isn’t a new idea, but it’s still an effective way for attackers to exploit inevitable human error” noted Shane Barney, CISO at Keeper Security. He also emphasized the use of least-privilege access controls as a preventive measure.
Such traps for developers creating packages with names that resemble common typos lead to accidental downloads of malicious code, explained Boris Cipot, Senior Security Engineer at Black Duck.
Typosquatting extends beyond software packages to include website domains and other internet addresses. Cipot added that another, less frequent vector involves hostile takeovers of open-source repositories, where malicious code is inserted into a project’s codebase.
These attacks often target transitive dependencies, components indirectly referenced during development or builds, making them particularly difficult for developers to detect, Cipot concluded.
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, cautioned that developers need to pay closer attention to third-party software sourced through automation. He framed typosquatting as another threat vector, validating the intent behind software bills of materials (SBOM).
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular