What are they?

Dependency Typos, also known as Typosquats, are packages published to public package registries which look very similar to legitimate packages in naming, and appearance (description, links, etc.).

Often these packages will have slight changes in their naming which can lead to inadvertent installation. These packages are not always malicious as they may simply be an older version of the package, a package that has been renamed, or just a similarly named package.

How does that affect my code?

If the package is malicious this can open your code and your users to various vulnerabilities, including: remote code execution, data access, compromised systems, and more.

What can I do about it?

To address typos, SOOS recommends confirming if the package is a typo through a manual review.

  • If it does appear to be malicious, remove the package immediately and investigating to see if a security breach occurred. Please also contact the package registry to report the package!
  • If you deem it to not be a typo and it is the intended package version, remove the Typo issue from your issue list by suppressing it.