Hello and welcome to the Thursday, August 17, 2023 edition of the Sandton and Stormsenders Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

In the past, I talked a lot about malicious packages in Python's PIPP ecosystem or the Node.js NPM ecosystem. But well, they're not alone when it

comes to malicious packages. Researchers from Aqua Nodulus did publish some work looking into

malicious modules in the PowerShell Gallery. PowerShell Gallery is maintained by Microsoft, and as the name suggests,

does contain PowerShell packages. So lots of useful tools here that you can download,

but not every package that you find is actually useful. Some of them are outright malicious,

and it appears that some attackers have

discovered good old tricks like typo-squadding can be used in order to trick users to download

their malicious package. And it doesn't help that developers don't always sort of adhere to the

informal conventions when it comes to package naming.

The researchers here point out that many, many packages that deal with Asia start the name with

ACDOT. And there is a very popular package called ACTable, well, without the dot.

Now, they as a test uploaded a package ACDOT table, which would sort of more match the more common

convention here.

And of course, it was accepted, it was published, and made available for download. Aqua did publish this particular

package with a callback so they could detect if it was actually being used, and yes, they immediately

did notice multiple organizations downloading and using this typosquotted version of AC table.

So just like with Python, Node.js, or any language that offers a repository like this,

where anybody can upload packages, well, be sure that you know what you're downloading.

Be careful.

And in particular, the type of squatting part here is something that is avoidable if you are

...