typosquat

Flags package names that are suspiciously similar to well-known packages (e.g. misspellings or keyboard-adjacent typos).

Implemented in: src/lib/detection/plugins/typosquat/
Enabled by default: yes

What it means

The scanned package name matches a “looks like” heuristic for a more popular package.

Why it matters

Typosquatting is a common tactic for tricking developers into installing malicious packages by mistake.

What to do

• Double-check the dependency name in package.json / lockfile.
• Verify the publisher/repo and compare against the intended package.
• Prefer pinning exact versions and using provenance controls where possible.

Common fields

• metadata may include similarity scores and a “did you mean” candidate