We've all done it. You're typing fast, you hit install, and... wait, did you spell that right?
Most of the time, a typo just gives you an error. Package not found. No big deal.
But sometimes? Someone's waiting for that mistake.
What's Typosquatting?
It's exactly what it sounds like. Attackers register package names that are almost right. One letter off. A common misspelling. An extra dash.
Some real examples that have been caught:
python-dateutil→python-dateutill(extra L)requests→reqeusts(swapped letters)lodash→1odash(number instead of letter)
Each of these fake packages contained malware. And thousands of people installed them by accident.
Why It Works So Well
Think about how you install packages. You're probably copy-pasting from Stack Overflow or typing from memory while half-watching YouTube.
Nobody reads the package name letter by letter. We just assume it's right.
Attackers know this. They set up packages that:
- Look legitimate at first glance
- Actually work (so you don't notice anything wrong)
- Run malicious code in the background
What They're After
The payloads vary, but here's what we commonly see:
Credential theft. They scan for AWS keys, database passwords, anything juicy in your environment variables.
Cryptocurrency mining. Your CPU does the work, they get the coins.
Backdoors. A way to come back later when you're a more valuable target.
How to Protect Yourself
1. Use copy-paste carefully. Copy from official docs, not random tutorials.
2. Check download counts. The real requests has millions of downloads. A typosquat has hundreds. Big difference.
3. Use Redakta. We automatically flag suspicious packages — including ones that were just registered (a common typosquat red flag).
4. Lock your dependencies. Use a lockfile. Don't let packages update without review.
The Bottom Line
A typo shouldn't cost you your project. But right now, it can.
The good news: this is fixable with basic hygiene and the right tools. Scan before you trust. Always.