PackageFix / Glossary / Typosquatting

Typosquatting

npm · PyPI · all registries
Definition

Typosquatting in the context of software packages means registering a package name that looks almost identical to a legitimate, popular package — one letter swapped, a missing character, or a common misspelling. When a developer mistype the package name in npm install or pip install, they get the malicious package instead.

Why it keeps working

The npm and PyPI registries are open — anyone can register any available name. There's no automatic protection against names that are suspiciously close to popular packages. By the time security researchers notice and report a typosquatted package, it may have already been installed thousands of times.

The attack is simple and low-effort for attackers. Register expres (missing the final s), add a postinstall script that exfiltrates environment variables to a remote server, and wait. Developers mistype package names all the time.

Common targets

express    → expres, expresss, expresjs
lodash     → lodas, lodashs, lodahs
react      → reacts, reaact, recat
axios      → axois, axois, axxios
webpack    → webpak, webapck, webpackk
requests   → requets, reqeusts (Python)
django     → dajngo, djagno (Python)

Real typosquatting incidents

In 2022, researchers found over 200 typosquatted packages on PyPI targeting popular data science libraries. In 2023, a campaign targeted npm packages used in crypto development. In early 2026, the Contagious Interview operation used typosquatted packages as part of a broader developer targeting campaign.

How PackageFix detects it

PackageFix runs a Levenshtein distance check on every package name in your manifest against a hardcoded list of the top 100 packages per ecosystem. A distance of 1 (one character different) triggers a TYPOSQUAT? badge: "Similar to express — verify this is the correct package."

Check your dependencies for CVEs, CISA KEV entries, and supply chain risks.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How is typosquatting different from dependency confusion?
Typosquatting uses a similar-looking name to catch developers who mistype. Dependency confusion uses the exact same name as a private internal package to exploit how registries are prioritized. Both result in the wrong package being installed.
Can npm or PyPI prevent typosquatting?
Both registries have manual review processes and respond to reports, but they can't automatically prevent all typosquatted names from being registered. Prevention is faster than removal — check package names carefully before installing.
What should I do if I accidentally installed a typosquatted package?
Remove it immediately. Rotate any secrets, tokens, or credentials that were available as environment variables during the install — the postinstall script may have already exfiltrated them. Check your .env files and CI secrets.
Does PackageFix check for typosquatting in my lockfile?
Yes — PackageFix checks all package names in your manifest against the top 100 packages in each ecosystem using Levenshtein distance. Drop your package-lock.json alongside your package.json for transitive dependency checking too.

Related guides

Supply Chain Attack

The broader attack category

Dependency Confusion

Same name, different attack

5 Supply Chain Attacks

npm audit misses these

npm Security Guide

All npm vulnerability guides