Detecting Typosquatting Packages in npm and PyPI

When to Use

• Auditing project dependencies to identify packages whose names are suspiciously similar to popular libraries
• Proactively scanning package registries for newly published packages that may be typosquats of your organization's packages
• Investigating a suspected supply chain compromise where a developer installed a misspelled package name
• Building automated monitoring that alerts when new packages appear with names close to critical dependencies
• Assessing the risk profile of unfamiliar packages before adding them to a project's dependency tree

Do not use as the sole determination of malicious intent; name similarity alone does not prove a package is malicious. Do not use for bulk automated takedown requests without manual review of flagged packages. Do not use against private registries without authorization.

Prerequisites

• Python 3.9+ with requests and python-Levenshtein (or rapidfuzz) packages installed
• Network access to https://pypi.org/pypi/<package>/json (PyPI JSON API) and https://registry.npmjs.org/<package> (npm registry API)
• A list of popular or critical packages to monitor (e.g., top 1000 PyPI packages, organization's dependency list)
• Understanding of common typosquatting patterns: character omission, transposition, insertion, substitution, and hyphen/underscore manipulation

Workflow