NPM Typosquatting

It occurs when the attacker creates a package with a name similar to a popular package, inducing users to install this package inadvertently. This attack strategy is generic and often used with different package managers, including npm.

A famous example was the crossenv malware incident: crossenv (without dash) was a typo-squatting malicious package trying to be installed by developers referencing the popular cross-env package.

If the project has the malicious dependency then the code written by the attacker could be executed.

Even the package may contain the same functionality as the original and thus go unnoticed and end up running in a production environment.

Choose the right dependency and be careful when adding new ones.

This tool proposes a popular package to replace the malicious one when it finds such misconfiguration.