Glossary
Typosquatting and Dependency Confusion
What Are Typosquatting and Dependency Confusion?
Typosquatting and dependency confusion are software supply chain attack techniques in which an attacker publishes a malicious package with a name similar to a legitimate one (typosquatting) or with the same name in a higher-priority registry (dependency confusion) — tricking build systems and developers into installing the attacker's code.
Both techniques exploit how package managers resolve dependencies. A misspelled package name or a maliciously published internal package name in a public registry can result in attacker code being installed at build time and propagated into production. The blast radius from a single successful typosquat or dependency confusion attack can be enormous, especially when caught by automated builds with unpinned dependencies.
Policy-based enforcement — like NetRise Provenance's Package Firewall Manager — is one of the most effective defenses, blocking unexpected packages at resolution time before they reach builds.
Related Terms
Software Supply Chain Attack · Package Firewall Manager · Blast Radius · NetRise Provenance


