Shared Repositories (StarJacking)

Metadata associated with packages is self reported, including the source repository. It is therefore possible for a malicious package to self publish metadata that points to a known good package. This is often called StarJacking.

The obvious answer would be to ensure that there is only ever a single record for a given repository, but analysis in this segment is complicated by the fact that (1) not every known good package is publishing metadata, and as a result there are some very high quality projects that are effectively ‘unclaimed’ in package repository metadata, (2) some repositories have good reasons for producing multiple packages (for example, DefinitelyTyped publishes TypeScript (npm) packages for over a thousand libraries).

Sigstore signatures as formal proof-of-origin represent the long term direction that offers the most promise of addressing the issue systematically. A prominant element of Trusty is drawing attention to the presence (or absence) of Sigstore signatures.

When Sigstore signatures are not present for a specific package, Trusty will show you when multiple packages claim the same repo. Although there is no guarantee that this isn't perfectly innocuous repo sharing, it is worth taking a look to assess those packages.