How does this npm typosquat checker work?

Enter any npm package name and click Scan. The tool generates hundreds of variants using over 10 fuzzing techniques (character omission, transposition, substitution, separator swap, word order, dependency confusion, and more), then checks each one against the npm registry in parallel. Registered variants are enriched with version, creation date, download count, maintainer list, and description. Each result is then scored for risk using six independent signals.

What does the risk score measure?

Each registered variant is scored across six signals: (1) recency — packages registered in the last 30 days score highest; (2) zero or near-zero weekly downloads; (3) description similarity to the legitimate package, detected via Jaccard word-set similarity; (4) attack vector type — dependency confusion and separator-swap are the highest-impact patterns; (5) single maintainer; (6) no published version (placeholder registration). Packages scoring 4+ are flagged HIGH, 2+ are MED, below 2 are LOW.

Yes. The npm Typosquat Checker is available to all registered SpoofChecker members at no cost. Create a free account or log in to access the full report.

npm Typosquat Checker

Q: What is a dependency confusion attack?

A dependency confusion attack (also called a namespace confusion attack) targets packages that exist only in a private registry under a scope — for example @mycompany/utils. If an attacker publishes a public package with the same unscoped name (utils), npm may resolve to the public version instead of the private one, installing the attacker's package. This checker detects scope-strip variants for any scoped package you scan.

Q: What are lifecycle script attacks?

npm allows packages to define scripts that run automatically during installation — preinstall, postinstall, install, and prepare. Malicious packages use these to execute arbitrary code the moment a developer runs npm install, without any further interaction. This checker asynchronously fetches the package.json for high-risk results and flags any that contain these scripts with a purple warning badge.

Scan any npm package name for lookalike packages that could be used in a typosquatting or dependency confusion supply-chain attack. Each result is risk-scored across six signals — recency, download volume, description similarity, attack vector, maintainer count, and lifecycle script presence.

Access the full tool

Free for all SpoofChecker members. Log in to run a scan.

What this tool detects

🔍

Typosquat variants

Character swaps, omissions, insertions, transpositions, and homoglyph substitutions across hundreds of generated variants.

📦

Dependency confusion

Scope-strip attacks — public packages that shadow your private @org/package and get resolved by npm automatically.

⚠

Lifecycle script malware

postinstall / preinstall scripts that execute arbitrary code the moment a developer runs npm install.

📊

Risk scoring

HIGH / MED / LOW classification based on registration date, download volume, description copy, and attack vector type.

📅

Recency signals

Packages registered in the last 30 days are the highest-risk — active squatting campaigns typically register fresh.

💾

CSV & JSON export

Download the full report for ticketing, audit trails, or piping into your own security tooling.

Frequently asked questions

What is npm typosquatting?▼

npm typosquatting is when an attacker registers a package name that closely resembles a popular legitimate package — for example lodahs instead of lodash. Developers who mistype the name during installation unknowingly install the attacker's code, which often contains a postinstall script that exfiltrates environment variables, tokens, or credentials.

What is a dependency confusion attack?▼

A dependency confusion (or namespace confusion) attack targets internal packages that exist only under a private scope — e.g. @mycompany/utils. If an attacker publishes a public package with the unscoped name utils, npm may resolve to the public version instead, silently installing the attacker's code with no typo required.

What attack patterns does this checker cover?▼

The fuzzer generates variants using: character omission, transposition, substitution (including homoglyphs), insertion, repetition, separator swap (hyphens ↔ underscores), word order swap, prefix/suffix addition, bit-squatting, and scope-strip (dependency confusion). Each variant is checked against the live npm registry.

How is the risk score calculated?▼

Six signals contribute to a numeric score: (1) package registration recency — under 30 days scores +3; (2) zero weekly downloads — +2; (3) description similarity to the target via Jaccard word-set comparison — copied descriptions score +3; (4) high-impact attack vector — +1; (5) single maintainer — +0.5; (6) no published version — +1. Score ≥ 4 = HIGH (red), ≥ 2 = MED (amber), < 2 = LOW (green).

What are postinstall script attacks?▼

npm's postinstall, preinstall, install, and prepare lifecycle scripts run automatically during npm install with no user interaction. Malicious packages use these to exfiltrate secrets, install backdoors, or mine cryptocurrency. This tool checks the package.json of high-risk variants and flags any that define these scripts.