Typosquatting Attack
Malware ProtectionDefinition
An attack registering package names, domains, or usernames with deliberate typos of popular targets (e.g., 'reqeusts' instead of 'requests') to intercept traffic or trick users into installing malicious software.
Technical Details
Typosquatting exploits human typing errors and copy-paste mistakes. In software supply chains, typosquatted package names target common misspellings, adjacent key substitutions, missing hyphens, and plural/singular variations. Domain typosquatting intercepts users who mistype URLs, while combosquatting uses brand names combined with keywords. Automated scanning tools like typosquatting-detection libraries help identify potentially malicious registrations.
Practical Usage
Organizations should monitor registries and DNS for typosquatted versions of their brand names and internal package names. Developers should double-check package names before installing, use IDE plugins that warn of suspicious package names, and pin exact versions in dependency manifests.
Examples
- 'python-dateutil' vs 'python-dateuil' — a malicious package exploiting a common typo published to PyPI.
- A phishing domain 'rn.icrosof.com' (using 'rn' to visually mimic 'm') used in spear-phishing campaigns.
- An attacker registers 'colourama' on PyPI targeting misspellings of the legitimate 'colorama' package.