Fake Terraform Registry module namespace-squat IaC drift PR lure — "Renovate has detected a new terraform module source — update from hashicorp/aws-vpc to hashicorp-aws/vpc and re-run terraform init within 24 hours" / "update the source attribute in your module block from terraform-aws-modules/vpc/aws to terraform-aws-mods/vpc-aws and run terraform init within 48 hours." Sender NOT on the canonical Terraform / IaC vendor allowlist (hashicorp.com, terraform.io, registry.terraform.io, github.com, githubusercontent.com, githubapp.com, renovatebot.com, dependabot.com, gitlab.com, bitbucket.org, pulumi.com, spacelift.io, env0.com, terraformcloud.io, app.terraform.io). Real Terraform Registry module updates flow through the module-version constraint and Renovate / Dependabot bots that bump the version, never via inbound email demanding a namespace swap. Distinct from R7 npm-provenance-spoof (npm-publish-trust) and R8 cdn-pin-rotation (CDN SRI) — this signal is specifically the *Terraform Registry namespace squat* pretext (e.g., hashicorp/aws-vpc → hashicorp-aws/vpc namespace swap, IaC drift PR mail with module-source rewrite; module pulled at `terraform init` time, attacker code runs in the maintainer's CI). Source: Red-Team R8 multi-agent council S1 (supply-chain specialist).
terraform-registry-module-squat-lure
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
Fake Terraform Registry module namespace-squat IaC-drift PR lure targeting DevOps engineers, SRE, and IaC maintainers. The phish narrative arrives as: "Renovate has detected a new terraform module source for your VPC infrastructure. Please update from hashicorp/aws-vpc to hashicorp-aws/vpc and re-run terraform init within 24 hours to pull the new namespace. Action required," or "Your Terraform Registry module source has been migrated to a new namespace. Please update the source attribute in your module block from terraform-aws-modules/vpc/aws to terraform-aws-mods/vpc-aws and run terraform init within 48 hours. Mandatory." The Terraform Registry namespace-squat attack pattern: an attacker registers a similar-looking module namespace (e.g., `hashicorp/aws-vpc` → `hashicorp-aws/vpc`, or `terraform-aws-modules/vpc/aws` → `terraform-aws-mods/vpc-aws`) and sends a Renovate-styled PR mail that asks the maintainer to update the module source. When the maintainer merges the PR and runs `terraform init`, the attacker-controlled module is downloaded and any provisioner / local-exec / data-source code in the module runs in the maintainer's CI environment with full IaC blast radius. Real Terraform Registry module updates flow through the module-version constraint and Renovate / Dependabot bots that bump the version (not the namespace), never via inbound email demanding a namespace swap. Sender NOT on the canonical Terraform / IaC vendor allowlist (hashicorp.com, terraform.io, registry.terraform.io, github.com, githubusercontent.com, githubapp.com, renovatebot.com, dependabot.com, gitlab.com, bitbucket.org, pulumi.com, spacelift.io, env0.com, terraformcloud.io, app.terraform.io). Distinct from R7 npm-provenance-spoof (npm-publish-trust) and R8 cdn-pin-rotation (CDN SRI) — this signal is specifically the *Terraform Registry namespace squat* pretext. Fires when body references "terraform (registry/module/init/plan/apply)" / terraform / "terraform-aws-modules?" / "hashicorp/<module>" / "registry.terraform.io" / "module (source/block)" / "iac (drift/module)" / "infrastructure-as-code" AND "namespace (swap/swap(ped)/migrat(ion/ed)/change(d)/update(d)/rewrite/rewritten)" / "module (namespace/source/migrat(ion/ed))" / "migrate from/to <ns>/<m>" / "update from/to <ns>(-aws)?/<m>" / "module source (rewrite/update/change/migrat)" AND "re-run (terraform) init" / "terraform init (within/to pull)" / "run (terraform) init within" / "pull the (new) (namespace/module)" / "update (the) (source attribute/module block/module source)" AND within N hours-days / 24-48 hours / action required / mandatory / "module (will be) (rejected/deprecated/removed)" urgency. Excludes the canonical Terraform / IaC / GitHub / Renovate / Dependabot domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R8 multi-agent council S1 (supply-chain specialist).
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started