Namesquatting - DeveloPassion

# Namesquatting Namesquatting is the practice of registering names in a shared namespace (package registries, domain names, usernames) with the intent to exploit the trust or confusion associated with those names. It's an umbrella term covering several attack variants that target software supply chains, DNS, and identity systems. ## Variants ### Typosquatting Registering names that are common misspellings or visual lookalikes of legitimate packages. Relies on human error. - `crossenv` instead of `cross-env` (npm, 2017; one of the earliest documented cases) - `noblox.js-async` mimicking `noblox.js` - Over 500 malicious PyPI packages discovered in a single typosquatting campaign ### Combosquatting / Brandjacking Appending or prepending words to trusted package names to hijack brand reputation. - `noblox.js-proxy-server` impersonating the `noblox.js` ecosystem - Common suffixes: `-utils`, `-helper`, `-cli`, `-core` ### [[Slopsquatting]] Registering names that AI models hallucinate. Exploits machine error rather than human error. The newest and fastest-growing variant due to the rise of AI-assisted coding and [[Vibe Coding]]. ### Dependency confusion Publishing a public package with the same name as a private/internal package, tricking build systems into pulling the malicious public version instead. ### Starjacking Faking popularity metrics (GitHub stars, download counts) to make a malicious package appear trustworthy. ## Why it works - Package registries are open by default; anyone can publish under any unclaimed name - Developers trust package names as proxies for legitimacy - Automated tooling (CI/CD, AI agents) installs packages without human verification - Registry similarity checks only catch obvious cases ## Scale - A 2021 survey found typosquatting and namesquatting among the top threats in npm and PyPI registries - npm now blocks names too similar to existing popular packages, but this doesn't cover all variants - AI-driven [[Slopsquatting]] has expanded the attack surface far beyond what traditional defenses handle ## Mitigation 1. **Namespace reservation**: publish placeholder packages for your internal names on public registries 2. **Scoped packages**: use `@org/package` namespaces to avoid name collisions 3. **Lockfile discipline**: always commit lockfiles; review dependency changes in PRs 4. **Allowlists**: restrict which registries and packages CI/CD can pull from 5. **SCA tools**: scan dependencies for known-malicious packages 6. **Provenance verification**: check package signing, publisher identity, and source repository links ## References - Alex Birsan, "Dependency Confusion" (2021): original research on dependency confusion attacks - Checkmarx: analysis of npm typosquatting campaigns - Snyk: security risks with Python package naming conventions ## Related - [[Slopsquatting]] - [[Typosquatting]] - [[Dependency Confusion]] - [[Starjacking]] - [[Software Supply Chain Security]] - [[Software Composition Analysis (SCA)]] - [[Package Registry Security]] - [[AI Skill Supply Chain Security]] - [[Attack surface]] - [[Attack vectors]] - [[AI Safety]] - [[Least Privilege Principle]]