{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T10:50:56Z","timestamp":1778151056955,"version":"3.51.4"},"publisher-location":"Cham","reference-count":49,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783030657444","type":"print"},{"value":"9783030657451","type":"electronic"}],"license":[{"start":{"date-parts":[[2020,1,1]],"date-time":"2020-01-01T00:00:00Z","timestamp":1577836800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2020,1,1]],"date-time":"2020-01-01T00:00:00Z","timestamp":1577836800000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020]]},"DOI":"10.1007\/978-3-030-65745-1_7","type":"book-chapter","created":{"date-parts":[[2020,12,18]],"date-time":"2020-12-18T08:03:25Z","timestamp":1608278605000},"page":"112-131","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":37,"title":["Defending Against Package Typosquatting"],"prefix":"10.1007","author":[{"given":"Matthew","family":"Taylor","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ruturaj","family":"Vaidya","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Drew","family":"Davidson","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lorenzo","family":"De Carli","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Vaibhav","family":"Rastogi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2020,12,19]]},"reference":[{"key":"7_CR1","unstructured":"Senate Report 106\u2013140-THE ANTICYBERSQUATTING CONSUMER PROTECTION ACT, August 1999. https:\/\/www.govinfo.gov\/content\/pkg\/CRPT-106srpt140\/html\/CRPT-106srpt140.html"},{"key":"7_CR2","unstructured":"Athalye, A., Hristov, R., Nguyen, T., Nguyen, Q.: Package Manager Security. Technical Report. https:\/\/pdfs.semanticscholar.org\/d398\/d240e916079e418b77ebb4b3730d7e959b15.pdf"},{"key":"7_CR3","doi-asserted-by":"crossref","unstructured":"Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: Proceedings of the 6th ACM Conference on Computer and Communications Security-CCS 1999, pp. 1\u20137. ACM Press (1999)","DOI":"10.1145\/319709.319710"},{"key":"7_CR4","unstructured":"Baldwin, A.: Malicious package report: destroyer-of-worlds-snyk.io, May 2019. https:\/\/snyk.io\/vuln\/SNYK-JS-DESTROYEROFWORLDS-174777"},{"key":"7_CR5","unstructured":"Bengtson, W.: Defensive typosquatting packages created by PyPI user wbengtson, January 2018. https:\/\/pypi.org\/user\/wbengtson\/"},{"key":"7_CR6","doi-asserted-by":"crossref","unstructured":"Bommarito, E., Bommarito, M.: An empirical analysis of the python package index (PyPI). arXiv preprint arXiv:1907.11073 (2019)","DOI":"10.2139\/ssrn.3426281"},{"key":"7_CR7","unstructured":"Bullock, M.: Python module: PyPI-parker, October 2017. https:\/\/pypi.org\/project\/pypi-parker\/"},{"key":"7_CR8","doi-asserted-by":"crossref","unstructured":"B\u00f6hme, R., Grossklags, J.: The security cost of cheap user interaction. In: Proceedings of the 2011 Workshop on New Security Paradigms Workshop-NSPW 2011. ACM Press (2011)","DOI":"10.1145\/2073276.2073284"},{"key":"7_CR9","doi-asserted-by":"crossref","unstructured":"Cadariu, M., Bouwers, E., Visser, J., van Deursen, A.: Tracking known security vulnerabilities in proprietary software systems. In: SANER (2015)","DOI":"10.1109\/SANER.2015.7081868"},{"key":"7_CR10","doi-asserted-by":"crossref","unstructured":"Cappos, J., Samuel, J., Baker, S., Hartman, J.H.: A look in the mirror: attacks on package managers. In: CCS (2008)","DOI":"10.1145\/1455770.1455841"},{"key":"7_CR11","doi-asserted-by":"publisher","unstructured":"Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: Mast: Triage for market-scale mobile malware analysis. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks. WiSec 2013, New York, NY, USA, pp. 13\u201324. ACM (2013). https:\/\/doi.org\/10.1145\/2462096.2462100, http:\/\/doi.acm.org\/10.1145\/2462096.2462100","DOI":"10.1145\/2462096.2462100"},{"key":"7_CR12","doi-asserted-by":"crossref","unstructured":"Chatterjee, R., et al.: The spyware used in intimate partner violence. In: IEEE Symposium on Security and Privacy, pp. 441\u2013458. IEEE Computer Society (2018)","DOI":"10.1109\/SP.2018.00061"},{"key":"7_CR13","unstructured":"Cimpanu, C.: Twelve malicious python libraries found and removed from PyPI, October 2018. https:\/\/www.zdnet.com\/article\/twelve-malicious-python-libraries-found-and-removed-from-pypi\/"},{"key":"7_CR14","unstructured":"Claburn, T.: This typosquatting attack on npm went undetected for 2 weeks, August 2017. https:\/\/www.theregister.co.uk\/2017\/08\/02\/typosquatting_npm\/"},{"issue":"10","key":"7_CR15","doi-asserted-by":"publisher","first-page":"2007","DOI":"10.1109\/TMC.2014.2381212","volume":"14","author":"J Crussell","year":"2015","unstructured":"Crussell, J., Gibler, C., Chen, H.: Andarwin: scalable detection of android application clones based on semantics. IEEE Trans. Mob. Comput. 14(10), 2007\u20132019 (2015)","journal-title":"IEEE Trans. Mob. Comput."},{"key":"7_CR16","unstructured":"Denvraver, H.: Malicious packages found to be typo-squatting in python package index, December 2019. https:\/\/snyk.io\/blog\/malicious-packages-found-to-be-typo-squatting-in-pypi\/"},{"key":"7_CR17","unstructured":"Duan, R.: Malicious package report: device-mqtt - snyk.io, August 2019. https:\/\/snyk.io\/vuln\/SNYK-JS-DEVICEMQTT-458732"},{"key":"7_CR18","doi-asserted-by":"crossref","unstructured":"Fass, A., Backes, M., Stock, B.: HideNoSeek: camouflaging malicious JavaScript in Benign ASTs. In: CCS. ACM Press (2019)","DOI":"10.1145\/3319535.3345656"},{"key":"7_CR19","doi-asserted-by":"crossref","unstructured":"German, D.M., Adams, B., Hassan, A.E.: The evolution of the r software ecosystem. In: CSMR (2013)","DOI":"10.1109\/CSMR.2013.33"},{"key":"7_CR20","series-title":"Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering","doi-asserted-by":"publisher","first-page":"436","DOI":"10.1007\/978-3-319-23829-6_30","volume-title":"International Conference on Security and Privacy in Communication Networks","author":"H Gonzalez","year":"2015","unstructured":"Gonzalez, H., Stakhanova, N., Ghorbani, A.A.: DroidKin: lightweight detection of android apps similarity. In: Tian, J., Jing, J., Srivatsa, M. (eds.) SecureComm 2014. LNICST, vol. 152, pp. 436\u2013453. Springer, Cham (2015). https:\/\/doi.org\/10.1007\/978-3-319-23829-6_30"},{"key":"7_CR21","unstructured":"Hejderup, J.. In Dependencies We Trust: How vulnerable are dependencies in software modules? Master\u2019s thesis, Delft University of Technology, May 2015"},{"key":"7_CR22","doi-asserted-by":"crossref","unstructured":"Hu, Y., et al.: Mobile app squatting. In: Proceedings of the Web Conference, vol. 2020, pp. 1727\u20131738 (2020)","DOI":"10.1145\/3366423.3380243"},{"key":"7_CR23","doi-asserted-by":"crossref","unstructured":"Kula, R.G., Roover, C.D., German, D., Ishio, T., Inoue, K.: Visualizing the evolution of systems and their library dependencies. In: IEEE VISSOFT (2014)","DOI":"10.1109\/VISSOFT.2014.29"},{"key":"7_CR24","unstructured":"Lakshmanan, R.: Over 700 malicious typosquatted libraries found on rubygems repository, May 2020. https:\/\/thehackernews.com\/2020\/04\/rubygem-typosquatting-malware.html"},{"key":"7_CR25","unstructured":"npm Maintainers: The npm blog - numeric precision matters: how npm download counts work, Jul y2014. https:\/\/blog.npmjs.org\/post\/92574016600\/numeric-precision-matters-how-npm-download-counts"},{"key":"7_CR26","unstructured":"npm Maintainers: npm-scope|npm documentation, August 2015. https:\/\/docs.npmjs.com\/using-npm\/scope.html"},{"key":"7_CR27","unstructured":"npm Maintainers: New package moniker rules, December 2017. https:\/\/blog.npmjs.org\/post\/168978377570\/new-package-moniker-rules"},{"key":"7_CR28","unstructured":"npm Maintainers: The npm blog-\u2018crossenv\u2019 malware on the npm registry, August 2017. https:\/\/blog.npmjs.org\/post\/163723642530\/crossenv-malware-on-the-npm-registry"},{"key":"7_CR29","doi-asserted-by":"crossref","unstructured":"Pfretzschner, B., ben Othmane, L.: Identification of dependency-based attacks on node.js. In: ARES (2017)","DOI":"10.1145\/3098954.3120928"},{"key":"7_CR30","doi-asserted-by":"crossref","unstructured":"Plate, H., Ponta, S.E., Sabetta, A.: Impact assessment for vulnerabilities in open-source software libraries. In: ICSME (2015)","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"7_CR31","doi-asserted-by":"crossref","unstructured":"Raemaekers, S., van Deursen, A., Visser, J.: The maven repository dataset of metrics, changes, and dependencies. In: MSR (2013)","DOI":"10.1109\/MSR.2013.6624031"},{"key":"7_CR32","unstructured":"Security, C.: Contrast labs: Software libraries represent just seven percent of application vulnerabilities, July 2017. https:\/\/www.prnewswire.com\/news-releases\/contrast-labs-software-libraries-represent-just-seven-percent-of-applicationvulnerabilities-300492907.html"},{"key":"7_CR33","unstructured":"npm Security Team: Malicious package report: browserift - snyk.io, July 2019. https:\/\/snyk.io\/vuln\/SNYK-JS-BROWSERIFT-455282"},{"key":"7_CR34","unstructured":"npm Security Team: Malicious package report: comander - snyk.io, October 2019. https:\/\/snyk.io\/vuln\/SNYK-JS-COMANDER-471676"},{"key":"7_CR35","unstructured":"npm Security Team: npm security advisory: babel-laoder, November 2019. https:\/\/www.npmjs.com\/advisories\/1348"},{"key":"7_CR36","unstructured":"npm Security Team: npm security advisory: sj-tw-sec, November 2019. https:\/\/www.npmjs.com\/advisories\/1309"},{"key":"7_CR37","unstructured":"npm Security Team: npm security advisories, May 2020. https:\/\/www.npmjs.com\/advisories"},{"key":"7_CR38","doi-asserted-by":"crossref","unstructured":"Spaulding, J., Upadhyaya, S., Mohaisen, A.: The landscape of domain name Typosquatting: techniques and countermeasures. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 284\u2013289, August 2016","DOI":"10.1109\/ARES.2016.84"},{"key":"7_CR39","unstructured":"Stufft, D.: Pep 503-simple repository API, September 2015. https:\/\/www.python.org\/dev\/peps\/pep-0503\/#normalized-names"},{"key":"7_CR40","doi-asserted-by":"crossref","unstructured":"Szurdi, J., Christin, N.: Email typosquatting. In: Proceedings of the 2017 Internet Measurement Conference, London, United Kingdom, pp. 419\u2013431. IMC\u20192017, Association for Computing Machinery, November 2017","DOI":"10.1145\/3131365.3131399"},{"key":"7_CR41","unstructured":"Team, S.S.: Prototype pollution in lodash|snyk, July 2019. https:\/\/snyk.io\/vuln\/SNYK-JS-LODASH-450202"},{"key":"7_CR42","unstructured":"Team, S.S.: Vulnerability db, May 2020. https:\/\/snyk.io\/vuln"},{"key":"7_CR43","unstructured":"Tellnes, J.: Dependencies: No Software is an Island. Master\u2019s thesis, The University of Bergen, October 2013"},{"key":"7_CR44","unstructured":"Tschacher, N.P.: Typosquatting in Programming Language Package Managers. University of Hamburg, Hamburg (Bachelor), March 2016"},{"key":"7_CR45","doi-asserted-by":"crossref","unstructured":"Viennot, N., Garcia, E., Nieh, J.: A measurement study of google play. In: ACM SIGMETRICS Performance Evaluation Review, vol. 42, pp. 221\u2013233. ACM (2014)","DOI":"10.1145\/2637364.2592003"},{"key":"7_CR46","doi-asserted-by":"publisher","unstructured":"Wermke, D., Huaman, N., Acar, Y., Reaves, B., Traynor, P., Fahl, S.: A large scale investigation of obfuscation use in google play. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, December 03\u201307, 2018, pp. 222\u2013235. ACM (2018). https:\/\/doi.org\/10.1145\/3274694.3274726","DOI":"10.1145\/3274694.3274726"},{"key":"7_CR47","doi-asserted-by":"crossref","unstructured":"Wittern, E., Suter, P., Rajagopalan, S.: A look at the dynamics of the javascript package ecosystem. In: MSR (2016)","DOI":"10.1145\/2901739.2901743"},{"key":"7_CR48","doi-asserted-by":"crossref","unstructured":"Younis, A.A., Malaiya, Y.K., Ray, I.: Using attack surface entry points and reachability analysis to assess the risk of software vulnerability exploitability. In: HASE (2014)","DOI":"10.1109\/HASE.2014.10"},{"key":"7_CR49","unstructured":"Zimmermann, M., Staicu, C.A., Pradel, M.: Small world with high risks: a study of security threats in the npm ecosystem. In: USENIX, p. 17 (2019)"}],"container-title":["Lecture Notes in Computer Science","Network and System Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-65745-1_7","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,12,18]],"date-time":"2020-12-18T08:37:57Z","timestamp":1608280677000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-65745-1_7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020]]},"ISBN":["9783030657444","9783030657451"],"references-count":49,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-65745-1_7","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020]]},"assertion":[{"value":"19 December 2020","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"NSS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Network and System Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Melbourne, VIC","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Australia","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2020","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"25 November 2020","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27 November 2020","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"nss2020","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/nsclab.org\/nss2020\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Easychair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"60","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"17","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"9","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"28% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"4,2","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2,75","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Due to the Corona pandemic the event was held virtually.","order":10,"name":"additional_info_on_review_process","label":"Additional Info on Review Process","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}