Typosquatting

Typosquatting is a type of attack where adversaries register domain names or publish packages with names similar to legitimate ones, betting that users will accidentally use the malicious version due to typos. In package registries, this means registering packages like "requets" (instead of "requests") or "lodahs" (instead of "lodash"). Malicious packages often contain code that steals environment variables, SSH keys, or credentials. Always verify package names carefully and use lockfiles to prevent accidental version changes.

Why it matters for your website

• 1Foundational principle in modern security — harder to retrofit than to build in from the start
• 2Reduces breach impact by limiting what attackers can access if they get in
• 3Required control in ISO 27001, NIST CSF, and most compliance frameworks