Typosquatting in Package Registries, Explained

Typosquatting is when an attacker publishes a malicious package with a name that looks almost identical to a popular one, reqeusts instead of requests, loadsh instead of lodash, python-sqlite instead of the real thing. A developer fat-fingers an install command, or copies a bad name from a forum, and the malware is in.

Why it works

What attackers do once installed

How to defend

Closely related is dependency confusion, where the collision is with your internal package names rather than a popular public one.

See how Verifi catches typosquats →