NPM Typosquat Checker — Detect Supply-Chain Attacks Before They Hit Your Pipeline

The NPM Typosquat Checker scans any npm package name for registered typosquatting variants — malicious packages crafted to impersonate popular libraries through subtle misspellings, character substitutions, or scope manipulation. Enter a package name, click Scan, and get a scored, sortable report of every suspicious match on the live npm registry.

You searched for
✓ Legitimate Package
Downloads/wk: Created: Maintainers:
Risk Package Name Attack Vector Version Created Downloads/wk Maintainers Description
Enter a package name above and click Scan.

How the NPM Typosquat Checker Works

When you submit a package name, the tool generates hundreds of name variants using over ten fuzzing techniques, then queries the npm registry for each one in parallel. Any variant that resolves to a real package is enriched with metadata — version, creation date, weekly download count, maintainer list, and description — and scored for risk using six independent signals.

Attack Vectors Detected

Character Omission Missing a single letter — expres instead of express.
Transposition Two adjacent characters swapped — loadsh for lodash.
Character Substitution Visually similar characters — reactreakt, 0 for o.
Separator Swap Hyphens replaced with dots or underscores — common in Go-to-npm porting attacks.
Word Order Multi-word package names with reversed segments — utils-async vs async-utils.
Dependency Confusion Scoped packages (@org/pkg) checked for unscoped public equivalents that npm might resolve first.
Prefix / Suffix Padding Common affixes added — lodash-js, node-express, react2.
Double Character A single character doubled — loddash, exprress.

Risk Scoring — How HIGH / MED / LOW is Determined

Each registered variant is evaluated across six signals that together indicate whether a package is a likely attack or just a name collision:

  • Recency — packages registered within the last 30 days receive the highest weight; within 6 months gets a smaller penalty. Fresh registrations are the primary supply-chain threat signal.
  • Zero or near-zero weekly downloads — placeholder squats typically sit at zero downloads while they wait for victims. Legitimate similarly-named packages accumulate traffic.
  • Description similarity — attackers often copy-paste the target's description verbatim to appear legitimate. The tool compares descriptions using Jaccard word-set similarity; scores above 50 % are flagged as copied.
  • Attack vector type — dependency confusion and separator-swap are the highest-impact techniques and carry a bonus risk point.
  • Single unknown maintainer — prolific npm maintainers are far less likely to be squatters. A sole unknown publisher adds a fractional risk point.
  • No published version — packages registered but never published are placeholder reservations, a strong squatting indicator.

Packages scoring 4 or more signals are flagged HIGH; 2–3 are MED; below 2 are LOW. HIGH and MED results are also checked asynchronously for dangerous lifecycle scripts (postinstall, preinstall, install, prepare) that execute automatically on npm install.

Lifecycle Script Detection

npm allows packages to define scripts that run automatically during installation without any developer confirmation. Malicious packages exploit this to execute arbitrary code — stealing environment variables, tokens, SSH keys, or AWS credentials — the moment a developer runs npm install. The checker asynchronously fetches the package.json of HIGH and MED risk results and flags any that define lifecycle scripts with a purple ⚠ postinstall badge. These packages should be treated as active threats and investigated immediately.

Frequently Asked Questions

What is npm typosquatting?

npm typosquatting is when an attacker registers a package name that closely resembles a popular legitimate package — for example lodahs instead of lodash. Developers who mistype the package name during installation unknowingly install the attacker's code, which often contains a postinstall script that exfiltrates environment variables, tokens, or credentials.

What is a dependency confusion attack?

A dependency confusion attack targets packages that exist only in a private registry under a scope — for example @mycompany/utils. If an attacker publishes a public package with the same unscoped name (utils), npm may resolve to the public version instead of the private one, installing the attacker's code. This checker detects scope-strip variants for any scoped package you scan.

How do I use the NPM Typosquat Checker?

Enter any npm package name and click Scan. The tool generates hundreds of variants, checks each against the npm registry in parallel, and returns a scored report in seconds. Results can be sorted by risk score, attack vector, creation date, or download count, and exported as CSV or JSON for use in CI pipelines or security audits.

Is this tool free to use?

Yes — the NPM Typosquat Checker is free. No account is required to scan a package.

Can I integrate the results into my CI pipeline?

Yes. Export results as JSON or CSV from the tool, then import them into your preferred security scanner, SIEM, or build pipeline. The JSON format preserves all scored fields including risk level, attack vector, lifecycle script flags, and raw metadata.

What should I do if I find a HIGH risk result?

Check the maintainer list — if you don't recognise the publisher, treat the package as hostile. Look at the creation date; if it was registered after the legitimate package became popular, that's strong evidence of intent. Check for lifecycle scripts. If the package is genuinely malicious, report it to the npm security team and consider filing a disclosure.