Skip to content

Typosquatting

Medium — good to knowSecurity

ELI5 — The Vibe Check

Typosquatting is when attackers publish malicious packages with names that are one typo away from popular ones. 'lodahs' instead of 'lodash.' 'reqeusts' instead of 'requests.' You type fast, hit install, and boom — malware. It's the phishing email of package management.

Real Talk

Typosquatting in package registries involves publishing malicious packages with names similar to popular packages (character substitution, addition, or omission). These packages often contain data exfiltration, cryptominers, or reverse shells. Registries employ detection systems but the attack vector persists.

When You'll Hear This

"Always double-check package names before installing — typosquatting is real." / "The 'crossenv' typosquatting attack caught hundreds of developers who meant to install 'cross-env.'"

Related Terms

Dependency Confusion

Dependency Confusion tricks package managers into downloading a malicious public package instead of your private one.

advancedSecurity

npm

npm is like a vending machine for code. You say 'I want React' and it delivers React, plus React's 47 friends, plus their friends' friends.

beginnerGeneral Dev

SCA

SCA checks if the libraries you're using have known vulnerabilities. You didn't write the bug, but you imported it. That lodash version from 2019?

intermediateSecurity

Supply Chain Security

Supply Chain Security protects the entire path from code to production — dependencies, build systems, registries, everything.

intermediateSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.