Skip to content
Latchkey

What Is Typosquatting?

Typosquatting is a supply-chain attack where an adversary registers package names that are near-misspellings of popular libraries, hoping a developer mistypes the name and installs the malicious version. The fake package often mimics the real one while running hidden malicious code on install. It targets human error rather than registry resolution rules.

Why it matters

A single character slip in a dependency name can pull in attacker-controlled code that runs during installation in CI, where it can exfiltrate secrets. Defenses include lockfiles that pin exact resolved packages, automated dependency review, and pulling only through a vetted proxy or mirror.

Related concepts

  • Exploits human misspelling, not resolver rules
  • Lockfiles and dependency review reduce risk
  • Dependency confusion is a related attack

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →