BlogPartners

Glossary

Typosquatting and Dependency Confusion

What Are Typosquatting and Dependency Confusion?

Typosquatting and dependency confusion are software supply chain attack techniques in which an attacker publishes a malicious package with a name similar to a legitimate one (typosquatting) or with the same name in a higher-priority registry (dependency confusion) — tricking build systems and developers into installing the attacker's code.

Both techniques exploit how package managers resolve dependencies. A misspelled package name or a maliciously published internal package name in a public registry can result in attacker code being installed at build time and propagated into production. The blast radius from a single successful typosquat or dependency confusion attack can be enormous, especially when caught by automated builds with unpinned dependencies.

Policy-based enforcement — like NetRise Provenance's Package Firewall Manager — is one of the most effective defenses, blocking unexpected packages at resolution time before they reach builds.

Related Terms

Software Supply Chain Attack · Package Firewall Manager · Blast Radius · NetRise Provenance

Related Content