Typosquatting attacks exploit fast-typing or AI-assisted package installation: an attacker registers lodahs or crossenv on npm and waits for installations. These packages typically contain postinstall scripts that exfiltrate environment variables — specifically targeting AWS_SECRET_ACCESS_KEY, DATABASE_URL, and similar credentials that are almost universally present in developer environments. OWASP A08 (Software and Data Integrity Failures) and CWE-829 both apply. CWE-1357 covers the reliance on an insufficiently trustworthy component. AI coding tools that auto-generate npm install commands are particularly vulnerable to this vector because they may hallucinate a package name that closely resembles a real one. A single character transposition in a production dependency name can mean you're running attacker code.
Medium because typosquatting requires the malicious package to be installed — the attacker depends on a typographic error — but the consequence when triggered is immediate credential exfiltration.
Verify any unfamiliar package before using it. Check the registry record directly:
npm info suspect-package-name
Look for: number of published versions, publish date, author identity, README quality, and weekly download count. A package with one version, no README, and under 100 weekly downloads that resembles a popular library is a red flag. Remove the suspect package and install the correct spelling:
npm uninstall suspect-package-name
npm install correct-package-name
ID: dependency-supply-chain.security-vulns.no-typosquatting
Severity: medium
What to look for: Examine package names in package.json for common typosquatting patterns against popular packages. Known historical typosquatting targets include: crossenv (vs cross-env), lodahs (vs lodash), expres or expresss (vs express), reqeuest (vs request), momnet (vs moment), babelcli (vs babel-cli), colourama (vs colorama). Also look for packages whose names are suspiciously similar to top-100 npm packages with character transpositions, extra characters, or hyphen/underscore swaps. Pay attention to new or one-off packages with no clear ecosystem origin. Count every direct dependency and enumerate any whose names are within edit distance 1-2 of popular packages (e.g., "lodahs" vs. "lodash", "expresss" vs. "express").
Pass criteria: All package names in package.json match well-known packages exactly, with no suspicious near-matches. The implementation must be verifiable by examining the codebase and must handle the documented requirements completely. At least 1 implementation must be confirmed.
Fail criteria: One or more package names are near-matches to popular packages with character-level differences that suggest typos. Do NOT pass if any dependency name differs by only 1 character from a popular package and has fewer than 100 weekly downloads.
Skip (N/A) when: No package.json detected.
Cross-reference: The high-critical-vulns check in Security Vulnerabilities scans the dependencies this check validates as legitimate.
Detail on fail: "Package 'lodahs' in dependencies appears to be a typosquatting variant of 'lodash' — verify this is the intended package" or "Package 'expres' in dependencies — did you mean 'express'?"
Remediation: Typosquatting packages often contain malicious code designed to harvest environment variables or credentials at install time. They exploit the fact that fast-typing developers (or AI tools) may install a slightly misspelled package name.
Check the suspect package on the npm registry before proceeding:
npm info suspect-package-name
Look at: publish date, number of versions, author, README quality, and weekly downloads. A package published once with no documentation and few downloads is a red flag.
Remove the suspect package and install the correct one:
npm uninstall suspect-package-name
npm install correct-package-name