What Is Typosquatting?
Typosquatting is a supply-chain attack where an adversary registers package names that are near-misspellings of popular libraries, hoping a developer mistypes the name and installs the malicious version. The fake package often mimics the real one while running hidden malicious code on install. It targets human error rather than registry resolution rules.
Why it matters
A single character slip in a dependency name can pull in attacker-controlled code that runs during installation in CI, where it can exfiltrate secrets. Defenses include lockfiles that pin exact resolved packages, automated dependency review, and pulling only through a vetted proxy or mirror.
Related concepts
- Exploits human misspelling, not resolver rules
- Lockfiles and dependency review reduce risk
- Dependency confusion is a related attack
Related guides
What Is Dependency Confusion?Dependency confusion is a supply-chain attack where a malicious public package with a private package's name…
What Is a Lockfile?A lockfile records the exact resolved versions and hashes of every dependency, so installs are deterministic…
What Is a Software Supply Chain Attack?A supply chain attack compromises software by tampering with a dependency, build system, or distribution chan…