SkillTotal
cd ~/labs
visitor@skilltotal:~$ cat ./labs/typosquatting/mission.txt

Typosquatting

lab 05 · ST-TYPOSQUAT · LLM03
mission.txt
scenario

You are publishing a package to a registry an AI coding agent installs from. The registry rejects exact-name collisions with existing packages, but does nothing about look-alike names. Popular targets include lodash, requests, react, numpy, and friends.

objective

Publish a package whose name is one typo away from a popular dependency (a character swap, a missing letter, a look-alike glyph) so an agent that misremembers the name installs yours instead.

session — typosquatting
package.json
▚ Intel

No leads yet. Declassify intel one step at a time when you’re stuck.

▰ Dossierclassified — solve to unseal

How this attack works

The registry guard only compares the literal name against existing packages. A name a single edit away — a transposition, a dropped letter, or a homoglyph like rn for m — sails through. An agent (or a tired developer) that types the name from memory installs the impostor, which then runs whatever its install scripts contain.

Why it's dangerous

AI agents install dependencies autonomously and rarely double-check spelling. One squatted name in a lockfile or a hallucinated import can pull attacker-controlled code into the build — the classic supply-chain entry point. This is exactly what SkillTotal flags as ST-TYPOSQUAT.

OWASP mapping

Maps to OWASP Top 10 for LLM Applications (2025): LLM03: Supply Chain (and OWASP Agentic Skills AST02). SkillTotal’s ST-TYPOSQUATrule compares a component’s package identity against popular names and flags near-misses deterministically.

How to defend

  • Pin dependencies by name AND integrity hash; install only from a vetted lockfile.
  • Run typosquat detection (like SkillTotal’s ST-TYPOSQUAT) in CI before install.
  • Use a private registry / allowlist; block direct installs of arbitrary public names.
  • Never let an agent install a package it merely inferred — require an explicit, reviewed manifest.

SkillTotal catches this class of issue deterministically (rule ST-TYPOSQUAT).

Scan AI component (free)

FAQ

Why doesn't blocking exact name collisions help?
The attacker never reuses the exact name — they register a near-identical one. The defender must reason about edit distance and homoglyphs, not equality.
How does SkillTotal detect typosquatting?
ST-TYPOSQUAT normalizes the package name (case, separators, scope) and measures edit distance against a list of popular packages, flagging close-but-not-exact matches — no install or code execution needed.