← Lessons

quiz vs the machine

Silver1140

Security

Typosquatting In Package Registries

Malicious packages named to catch a developer's typo or misremembered name.

3 min read · intro · beat Silver to climb

One Typo Away

Typosquatting publishes malicious packages with names that mimic popular ones, betting that a developer will misspell or misremember the real name. Installing the lookalike runs the attacker's code with the developer's privileges.

Common Tricks

  • Swapped or omitted letters, like a missing vowel or a transposed pair.
  • Hyphen versus no hyphen, or a singular versus plural name.
  • Hijacking the name of a deleted or unmaintained package.

Defenses

  • Pin dependencies in a lockfile and review names carefully before adding them.
  • Copy names from official documentation, not memory or search snippets.
  • Use scanning that flags suspicious or recently published lookalike packages.

Key idea

Typosquatting weaponizes near miss package names, so copy names from official docs, pin them in a lockfile, and scan for lookalikes before installing.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a typosquatting package rely on?

2. Which habit best avoids typosquats?