保護DataHogo
Security Encyclopedia/Supply Chain
highCWE-829A06:2021

Typosquatting

Installing a package with a name one character off from a popular library can install malware instead of the real package.

How It Works

Attackers register package names that look like popular ones (lodahs, expres, coloers) and embed credential-stealing or backdoor code in them. One typo in npm install and malicious code runs in your build environment with full access to your file system and environment variables.

Vulnerable Code
// BAD: one character typo installs a malicious package
// package.json
{
  "dependencies": {
    "lodahs": "^4.17.0",
    "coloers": "^1.4.0"
  }
}
Secure Code
// GOOD: verify exact package names before installing
// package.json
{
  "dependencies": {
    "lodash": "^4.17.0",
    "colors": "^1.4.0"
  }
}

Real-World Example

In 2022, the 'node-ipc' maintainer intentionally added malicious code. The same year, 'colors' and 'faker' were sabotaged by their authors. But accidental typosquatting victims include packages like 'event-stream' (2018) which was transferred to a malicious actor and downloaded 2 million times with a Bitcoin wallet backdoor.

How to Prevent It

  • Always double-check package names on npmjs.com before installing
  • Use npm audit and socket.dev to detect suspicious packages
  • Enable npm's --ignore-scripts flag in CI to prevent postinstall script execution
  • Pin exact versions in package.json for critical dependencies and verify checksums

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Abandoned Packages

medium

Dependencies that haven't been updated in 2+ years are unlikely to receive security patches when new vulnerabilities are discovered.

CWE-1104A06:2021

Malicious Install Scripts

high

npm postinstall scripts run automatically with your system permissions during npm install, making them a common vector for malware.

CWE-829A06:2021

Dependency Confusion

high

Private internal packages without a scope prefix can be hijacked by publishing a higher-versioned public package with the same name.

CWE-830A06:2021

Missing Lockfile

medium

Without a lockfile, npm install resolves the latest compatible version of every dependency — which can introduce a newly compromised package on your next deploy.

CWE-1104A06:2021