Supply Chain Security

1 findingMCP08MCP10ASI04CoSAI-T6CoSAI-T8CoSAI-T11MAESTRO-L4EU-AI-Act-Art-9AML.T0017#

Malicious & Typosquat Packages

1 finding
D3

Typosquatting Risk in Dependencies

HighMCP10-supply-chain

Server depends on 'expresss' (triple s) with Levenshtein distance 1 from 'express'

  1. 1Open the manifest and confirm the dependency `redis@5.0.0` is present. The scanner's similarity pipeline matched this name against the curated target `ioredis` via the levenshtein-near classifier. If this dependency is an intentional internal fork or re-export, add it to `legitimate-forks.ts` so the finding will no longer fire.npm:redis@5.0.0Expect: Dependency npm:redis@5.0.0 is declared; it is NOT in the legitimate-fork allowlist at scan time.
  2. 2Recompute the Damerau-Levenshtein distance and Jaro-Winkler similarity between `redis` and `ioredis` using the same primitives as the scanner. Concretely, the rule expects Damerau-Levenshtein ≤ 3 and Jaro-Winkler ≥ 0.80 (except for advisory-registry matches which skip the floor). Observed values: distance 2, Jaro-Winkler 0.905.npm:redis@5.0.0Expect: Damerau-Levenshtein distance between "redis" and "ioredis" is 2. Jaro-Winkler is 0.905. The numbers agree with what the rule recorded.
  3. 3Open the package manifest at this RFC 6901 pointer and read the line. Confirm the package name recorded in the manifest is literally `redis` (not a spelling the build tool fuzzed to) and that no post-resolution rewrite turns this entry into the legitimate `ioredis`.package.json/dependencies/redisExpect: The manifest entry at package.json/dependencies/redis resolves to redis@5.0.0 — the exact name the scanner flagged.
  4. 4Open the npm page for `redis` and compare against the legitimate `ioredis`. Check: publisher identity, publish date, weekly download count, repository link, postinstall script presence. A typosquat typically presents as: recently published, low download count, no repository link, optionally carrying a postinstall hook that executes code at install time.npm:redis@5.0.0Expect: Either the candidate is a legitimate publisher-authored alternative (in which case add to `legitimate-forks.ts`) or its metadata confirms the typosquat hypothesis (recent, unknown publisher, low downloads, suspicious scripts).
sourceexternal-content
npm:redis@5.0.0
Dependency npm:redis@5.0.0 is within Damerau-Levenshtein distance 2 of ioredis (threshold 3).

Dependency names are external content resolved from public package registries. A near-miss to a popular canonical name is a supply-chain anomaly under ISO 27001 A.5.21 — the package manager installs whichever spelling is declared, with no built-in guard against lexically similar substitutions.

propagationdirect-pass
package.json/dependencies/redis
The manifest entry at /dependencies/redis directs the package manager to resolve and install redis@5.0.0. Resolution is purely string-matched against the registry — a typosquatted name installs whatever code the squatter published.
sinkcommand-execution
npm:redis@5.0.0
Malicious package `redis` executes attacker code in the build environment or at import time. Attack classifier: levenshtein-near. Target shadowed: `ioredis`.
mitigationinput-validationabsent
package.json/dependencies/redis

Lockfiles pin versions but do not pin the spelling of the dependency name. The static analyser cannot confirm whether a typosquat-aware package firewall (Socket.dev, Snyk Advisor) is in the CI chain; the auditor must verify.

impactremote-code-execution
server-host

A developer installs `redis` by typo, copy-paste, or autocomplete. The package's postinstall hook runs during installation with the developer's or CI runner's credentials, or the payload executes on first import when the MCP server starts. An MCP server compromised this way delegates full tool authority to attacker code on every downstream agent interaction.

trivial
Confidence90%ISO-27001-A.5.21ISO/IEC 27001:2022 Annex A Control 5.21 — ICT Supply Chain Security
5 confidence factors
  • +0.1input-validation absentNo input-validation found — Lockfiles pin versions but do not pin the spelling of the dependency name. The static analyser cannot confirm whether a typosquat-aware package firewall (Socket.dev, Snyk Advisor) is in the CI chain; the auditor must verify.
  • +0.1target_distance_under_thresholdDamerau-Levenshtein distance 2 between `redis` and `ioredis` is within the target's declared ceiling of 3. Combined with the Jaro-Winkler agreement check, this is the distance-only classifier — the most common class.
  • +0.06algorithm_agreement_highJaro-Winkler similarity 0.905 ≥ 0.90 — two complementary algorithms (Damerau-Levenshtein + Jaro-Winkler) agree on the similarity claim. Agreement across algorithms is the filter against single-algorithm noise.
  • -0.04legitimate_fork_allowlist_consultedThe candidate was not in legitimate-forks.ts at scan time. The rule records this explicitly so the finding can be dismissed by adding to the allowlist, with audit trail, if the reviewer confirms the dependency is a sanctioned variant.
  • -0.02charter_confidence_capD3 charter caps confidence at 0.9 — similarity is fuzzy and a candidate within Damerau-Levenshtein distance of a popular target can still be a legitimate namespace fork or internal alias the allowlist has not yet captured. The 0.10 gap signals "strong static evidence, reviewer should corroborate against the public registry before removal".
Methodology5 tests · 4 frameworks
Technique
similarity
Tests (5)
  1. legitimate-fork-allowlist
  2. visual-confusable-replay
  3. scope-squat-detection
  4. numeric-version-suffix-strip
  5. algorithm-agreement-gate
Lethal edge cases (7)
  • Legitimate namespace fork — `lodash-es` is a real package within Damerau-Levenshtein distance 3 of `lodash`. A detector that fires purely on edit distance misclassifies it as a typosquat. The rule suppresses candidates listed in `legitimate-forks.ts` and down-weights candidates whose only extra content is a structural suffix like `-es`, `-fork`, `-pro`.
  • Visual-confusable graphemes in ASCII — `rnistral` differs from `mistral` by substituting `rn` for `m`. Pure Damerau-Levenshtein scores distance 2 but doesn't flag this as "near" `mistral` with high confidence. The rule re-evaluates every <=2-distance candidate through `visuallyConfusableVariants` to catch the RN/M, CL/D, VV/W cohort.
  • Scope-squat under a different scope — `@mcp/sdk` shadows the official `@modelcontextprotocol/sdk` via scope replacement rather than substring edits. Character-level Levenshtein would consider these far apart. The rule runs a scope-squat check on any dependency whose UNSCOPED tail matches the tail of a `scoped_official` target but whose scope differs (including no-scope).
  • Version-suffixed package — `react-18`, `webpack-5`, `python-3.12`. These are legitimate publisher-versioned aliases and must not be flagged. The rule treats numeric suffixes separated by `-` or `.` as non-material for the similarity comparison — the suffix is stripped before Damerau-Levenshtein evaluation.
  • Deprecated-official official rename — `request` is deprecated in favour of `got`, yet `request` remains a published package and many legacy servers still depend on it. The rule must NOT flag `request` as a typosquat of `got` (distance-wise these are far apart anyway, but the rule nonetheless documents this class to acknowledge the failure mode).
  • Author-internal name coinciding with a public near-miss — an org's private package `@acme/requestss` is three edits from public `requests`. The rule cannot distinguish private from public registries statically; it emits the finding with a `no_confirmed_malicious_record` factor (negative adjustment) so the reviewer sees that the finding is distance-only and can apply organisational context to dismiss.
  • Short-name collisions — `axios` has length 5. A Damerau-Levenshtein distance of 2 against `axios` produces many legitimate 3-5 character unrelated names (e.g. a greenfield utility called `axles`). The rule uses the target's declared `max_distance` (2 for short names, 3 for longer) and additionally requires a Jaro-Winkler similarity ≥ 0.80 before firing — agreement between two complementary algorithms is the filter against single-algorithm noise.
Confidence cap
unbounded
Frameworks (4)
  • EU AI ActArt.9Risk Management System
  • OWASP MCPMCP08Dependency Vulnerabilities
  • OWASP MCPMCP10Supply Chain Compromise
  • OWASP ASIASI04Agentic Supply Chain
Backing
  • Precision:
  • Recall:
  • Red-team fixtures: 4
  • CVE replays: none
  • Last validated:
Test 3 more rules — give us more context1 input gap
Live connection3 rules

To unlock these tests: register a live MCP endpoint.

  • E1No Authentication RequiredCode VulnerabilitiesServer-Hardening Failures
  • E2Insecure TransportAuthentication & IdentitySession & Transport Security
  • E3Response Time AnomalyAudit & LoggingAbsent or Unstructured Logging

Tested cleanly

  • Prompt Injection24 rules tested cleanly
  • Tool Poisoning17 rules tested cleanly
  • Code Vulnerabilities23 rules tested cleanly
  • Data Exfiltration15 rules tested cleanly
  • Authentication & Identity9 rules tested cleanly
  • Human Oversight6 rules tested cleanly
  • Audit & Logging5 rules tested cleanly
  • Multi-Agent Security1 rule tested cleanly
  • Protocol & Transport15 rules tested cleanly
  • Denial of Service7 rules tested cleanly
  • Container & Runtime10 rules tested cleanly
  • Model Manipulation8 rules tested cleanly
arifOS — Constitutional AI Governance security findings — MCP Sentinel