Skip to main content

Typosquatting

Package "typosquatting" is a malicious technique in which an attacker uploads a package with a similar name to an existing, popular package in the registry. Once the malicious package is in the registry, the attacker relies on human error or social engineering to trick developers into installing their package.

Typosquatting examples​

Attackers exploit common typos to distribute their malicious packages. For example:

  • Common misspellings: An attacker might publish a package named "nxet" to target developers who mistype the command to install the popular "next" package. If a developer accidentally types npm install nxet, they will unknowingly install the attacker's package.

  • Visual similarities: Attackers may use characters that look similar to create deceptive package names. For instance, publishing a package named "tensorf1ow" takes advantage of the visual similarity between the number "1" and the lowercase letter "l". An attacker could then open a pull request that appears to upgrade the version of TensorFlow but actually changes the dependency to their malicious "tensorf1ow" package. If merged, this change would introduce the attacker's package as a dependency in the project.

How Stacklok Insight combats typosquatting​

Stacklok Insight analyzes the packages in a registry and identifies packages with similar names. This information is combined with the Stacklok Insight assessment for each package to build a list of similarly named packages that show signs of higher risk. These packages may be attempts at typosquatting.