Threat Detection

Typosquat Detection

Attackers publish packages with names nearly identical to popular libraries — requ3sts instead of requests, lodassh instead of lodash. A single typo in a developer's install command can compromise an entire build pipeline.

Get Protected Read the Docs

How Typosquatting Works

Typosquatting is one of the most common software supply chain attacks. An attacker registers a package with a name that is a deliberate misspelling, character swap, or homoglyph substitution of a popular package. When a developer makes a typo — or copies a malicious tutorial — the impostor package is installed instead.

Once installed, the typosquat package typically executes a malicious payload during the install phase: stealing environment variables, exfiltrating credentials, downloading backdoors, or establishing reverse shells. The attack surface is enormous because package managers trust any package published to the registry.

How Hextrap Detects Typosquats

Hextrap continuously polls every new package published to PyPI, npm, and the Go module index. Each package name is compared against a curated database using the rapidfuzz library for high-performance fuzzy string matching:

  • 500,000+ popular PyPI package names
  • 2,000,000+ npm package names
  • 1,000,000+ Go module paths

Names that exceed a 90% similarity threshold to a known popular package are flagged as suspected typosquats. The detection normalizes names by removing hyphens, underscores, and dots before comparison to catch variants like python-dateutil vs python_dateutil.

Detection Techniques

  • Character swaps: reqeusts (transposition)
  • Character additions: requestss (extra character)
  • Character omissions: reqests (missing character)
  • Homoglyphs: reque5ts (number-letter substitution)
  • Separator variations: python.dateutil vs python-dateutil

What Happens When a Typosquat Is Detected

When a firewall with typosquat protection enabled receives an install request for a suspected typosquat, it blocks the installation and returns a clear error message explaining the match. The developer sees exactly which popular package the name resembles and the similarity percentage.

All blocked install attempts are logged in the firewall's activity feed with the signal type, similarity score, and the matched popular package. Security teams can review these events to assess whether the package is a legitimate new project or a genuine attack.

HIGH Severity
Signal Type
TYPOSQUAT
Detection Phase
Phase 1 (Inline)
Registries
PyPI, npm, Go
Method
Fuzzy string matching (rapidfuzz)
Threshold
90% similarity

Real-World Example

$ pip install requ3sts

ERROR: Package blocked by Hextrap
Reason: Suspected typosquat
  requ3sts → 95% match to requests
  Signal: TYPOSQUAT (HIGH)

Protect Against Typosquatting Today

Enable typosquat detection on your firewall in seconds

Get Started See All Threat Signals