Typosquatting
You are publishing a package to a registry an AI coding agent installs from. The registry rejects exact-name collisions with existing packages, but does nothing about look-alike names. Popular targets include lodash, requests, react, numpy, and friends.
Publish a package whose name is one typo away from a popular dependency (a character swap, a missing letter, a look-alike glyph) so an agent that misremembers the name installs yours instead.
No leads yet. Declassify intel one step at a time when you’re stuck.
How this attack works
The registry guard only compares the literal name against existing packages. A name a single edit away — a transposition, a dropped letter, or a homoglyph like rn for m — sails through. An agent (or a tired developer) that types the name from memory installs the impostor, which then runs whatever its install scripts contain.
Why it's dangerous
AI agents install dependencies autonomously and rarely double-check spelling. One squatted name in a lockfile or a hallucinated import can pull attacker-controlled code into the build — the classic supply-chain entry point. This is exactly what SkillTotal flags as ST-TYPOSQUAT.
OWASP mapping
Maps to OWASP Top 10 for LLM Applications (2025): LLM03: Supply Chain (and OWASP Agentic Skills AST02). SkillTotal’s ST-TYPOSQUATrule compares a component’s package identity against popular names and flags near-misses deterministically.
How to defend
- Pin dependencies by name AND integrity hash; install only from a vetted lockfile.
- Run typosquat detection (like SkillTotal’s ST-TYPOSQUAT) in CI before install.
- Use a private registry / allowlist; block direct installs of arbitrary public names.
- Never let an agent install a package it merely inferred — require an explicit, reviewed manifest.
SkillTotal catches this class of issue deterministically (rule ST-TYPOSQUAT).
FAQ
- Why doesn't blocking exact name collisions help?
- The attacker never reuses the exact name — they register a near-identical one. The defender must reason about edit distance and homoglyphs, not equality.
- How does SkillTotal detect typosquatting?
- ST-TYPOSQUAT normalizes the package name (case, separators, scope) and measures edit distance against a list of popular packages, flagging close-but-not-exact matches — no install or code execution needed.