Typosquatting - DeveloPassion

# Typosquatting Typosquatting is the practice of registering names (package names, domain names, usernames) that are slight misspellings or visual lookalikes of legitimate ones, in order to trick users into installing malicious software or visiting malicious sites. In the context of software supply chains, it targets package registries like npm and PyPI. ## How it works 1. Attacker identifies a popular package (e.g., `cross-env` on npm) 2. Registers a package with a plausible typo: `crossenv`, `cross_env`, `crross-env` 3. Copies the legitimate package's functionality but adds malicious code (credential theft, reverse shells, data exfiltration) 4. Waits for developers to mistype the package name during `npm install` or `pip install` 5. The malicious package runs its payload, often via post-install scripts ## Typosquatting techniques - **Character substitution**: swapping similar characters (`rn` for `m`, `0` for `O`) - **Character omission**: dropping a letter (`colrs` for `colors`) - **Character addition**: adding a letter (`expresss`) - **Transposition**: swapping adjacent characters (`exrpess`) - **Hyphen/underscore confusion**: `cross-env` vs `cross_env` (especially across npm and PyPI which normalize differently) - **Scope dropping**: `express` instead of `@scope/express` ## Notable incidents - **crossenv (2017)**: one of the first documented npm typosquats. Mimicked `cross-env`, exfiltrated environment variables (including npm tokens) to an attacker server - **PyPI campaign (2023)**: 500+ malicious packages deployed in two waves, targeting popular data science and ML libraries - **noblox.js ecosystem**: multiple combosquatting packages (`noblox.js-async`, `noblox.js-proxy-server`) mimicking a legitimate Roblox API library ## Registry defenses - npm blocks new package names too similar to existing popular packages - PyPI has added name normalization and similarity checks - These defenses don't catch all variants, especially cross-registry confusion (Python package names that collide with JavaScript ones) ## Distinction from related attacks - **Typosquatting** relies on human typing errors - **[[Slopsquatting]]** relies on AI hallucination errors - **[[Dependency Confusion]]** exploits namespace collisions between public and private registries - **[[Starjacking]]** fakes popularity to build false trust - All are forms of [[Namesquatting]] ## References - Snyk: "Security Risks with Python Package Naming Convention: Typosquatting and Beyond" - Checkmarx: "A New, Stealthier Type of Typosquatting Attack Spotted Targeting npm" - Andrew Nesbitt: "Typosquatting in Package Managers" (2025) ## Related - [[Namesquatting]] - [[Slopsquatting]] - [[Dependency Confusion]] - [[Starjacking]] - [[Package Registry Security]] - [[Software Supply Chain Security]] - [[Software Composition Analysis (SCA)]] - [[Attack surface]] - [[Attack vectors]]