Detection
RUNT (Registry Uncover Naming Threats) detects typosquatting attacks using multiple string similarity algorithms.
How It Works
RUNT compares package names against a database of popular packages using:
- Levenshtein Distance – Edit distance between strings
- Jaro-Winkler Similarity – Weighted prefix matching
- Keyboard Proximity – Adjacent keys on QWERTY layout
- Homoglyph Detection – Similar-looking Unicode characters
- Phonetic Matching – Sounds-alike detection
Attack Types Detected
| Attack Type | Example | Target |
|---|---|---|
| CHARACTER_OMISSION | cros-env | cross-env |
| CHARACTER_SWAP | axois | axios |
| CHARACTER_INSERTION | expresss | express |
| HOMOGLYPH | cross-ะตnv (Cyrillic ะต) | cross-env |
| KEYBOARD_TYPO | lodasj | lodash |
Configuration
detection:
runt:
enabled: true
threshold: 0.8 # Similarity threshold (0.0-1.0)
max_candidates: 5 # Max similar packages to check
check_homoglyphs: true # Enable Unicode detectionExample Output
โ ๏ธ THREAT DETECTED: Typosquatting Attack
Package: cros-env
Mimics: cross-env (12M downloads/week)
Attack Type: CHARACTER_OMISSION
Similarity: 0.923
Risk Level: CRITICAL
Features:
- Levenshtein: 0.89
- Jaro-Winkler: 0.94
- Keyboard: 0.0
- Homoglyph: 0.0โ ๏ธ False Positives
RUNT may flag legitimate packages with similar names. Review the similarity score and features to make a determination. Scores below 0.8 are typically safe.