Skip to main content

Free 30-min security demo  — We'll scan your real code and show live findings, no commitment Book Now

Offensive360
Academy Package Typosquatting
Beginner · 15 min

Package Typosquatting

Learn how malicious packages with names similar to popular libraries steal credentials on developer machines.

1 Malicious Look-alike Package Names

Typosquatting publishes packages with names very similar to popular, legitimate packages. Developers who mistype the package name install the malicious version instead.

Real typosquatting examples:

  • colourama (instead of colorama) — malicious, steals crypto wallets
  • crpyto (instead of crypto) — typo in a common package
  • cross-env2 (instead of cross-env) — extra character
  • twitch-authenticator (instead of twitch-auth) — variation
  • node-opencv, opencf — variations on popular packages

What typosquatting packages do:

// Malicious package install script (package.json)
"scripts": {
  "preinstall": "node steal.js"  // Runs automatically on npm install!
}

// steal.js exfiltrates:
// - SSH keys (~/.ssh/)
// - Environment variables (process.env)
// - npm auth tokens (~/.npmrc)
// - Git credentials
// - Cryptocurrency wallets

The npm preinstall hook runs with the developer's full OS permissions — on a developer machine, this means access to source code, credentials, and internal network access.

2 Verify Package Names and Audit Installs

Prevent typosquatting through careful verification of package names and automated scanning of installed packages.

Verify package identity before installation:

# Before installing, inspect the package on npmjs.com:
# Check: number of weekly downloads, creation date, maintainers, repository URL
# A package with 0 downloads and created today is suspicious!

# View package metadata before installing:
npm info colorama
# Check: author, repository, keywords, description

# Lock the exact version you tested:
npm install [email protected]  # Exact version, not colorama@latest

Organization-level npm audit rules:

# Using Socket.dev or similar: scans for newly published packages
# that match patterns of your installed packages

# Or use npm install with --ignore-scripts in CI:
npm ci --ignore-scripts  # Prevents preinstall/postinstall hooks from running

Defense checklist:

  • Double-check package names before installing — search npmjs.com
  • Check download counts, creation date, and maintainer reputation
  • Use --ignore-scripts in CI to prevent install hooks from running
  • Use Socket.dev or similar tools to detect newly suspicious packages
  • Pin exact versions in package.json for all dependencies

Knowledge Check

0/3 correct
Q1

What makes npm preinstall scripts especially dangerous in typosquatting attacks?

Q2

What signals should make you suspicious of a newly published npm package?

Q3

How does npm ci --ignore-scripts protect CI/CD pipelines from typosquatting?

Code Exercise

Add --ignore-scripts to CI Install

The CI pipeline uses plain npm ci which allows package install scripts to run. Update it to use --ignore-scripts to prevent malicious install hooks.

yaml