Tom! That's a great insight. In Wolfi, we just added two tests to the
package linter to protect against these types of attacks:

- Unusual URL characters, including IDN URLs:
`^[a-z0-9][a-z0-9\.\-]+\.[a-z]{2,6}$` -
https://github.com/wolfi-dev/wolfictl/pull/496
- "off-by-one" check that flagged any URL that was 1-character off another
URL mentioned in another package (using levenshtein distance):
https://github.com/wolfi-dev/wolfictl/pull/500

Based on this thread, I added support to Atomdrift Scan @ HEAD for
homograph URL detection; but the technique is also simple enough that it
could be trivially embedded elsewhere.


On Wed, Jun 17, 2026 at 5:44 AM Tom Hale <[email protected]> wrote:

> Even reviewing PKGBUILDs, there are things that I CAN'T see, see, eg
> homograph attacks[1] for a package that I've not installed before (no diff
> highlight).
>
> An example of a `source` array attack vector:
>
>  - https://install.example-cli.dev   # safe
>  - https://іnstall.example-clі.dev
> <https://xn--nstall-ovf.xn--example-cl-62i.dev>   # compromised
>
> See the difference?  You can't.  Neither can you via the terminal.  Both
> 2nd-line `і` characters are Cyrillic (U+0456), not Latin `i`. The second
> URL resolves to an attacker's server.
>
> Don't believe me? Copy the 2nd url into your browser -- browsers solved
> this years ago, the 2nd displays as:
>     http://xn--nstall-ovf.xn--example-cl-62i.dev/
>
> So even if I know what sources a package should use, I may not be able to
> tell that they are actually being used.
>
> I believe this is yet another example as to why defence-in-depth via
> automated PKGBUILD scanners is needed.
>
> I care about community members with less experience than myself in
> reviewing PKGBUILDs.  I don't (yet) know how to hook in some of the
> automated scanners that have been mentioned here into paru and yay
> pre-install hooks, but if YOU know I think it would be of great value to
> have this knowledge be much more widespread.
> I asked how to do it here:
> https://www.reddit.com/r/archlinux/comments/1u85cig/defense_in_depth_pkgbuild_scan_hooks_for_paru_yay/
>
>
> [1] https://en.wikipedia.org/wiki/IDN_homograph_attack
>

Reply via email to