CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

Attackers Move Past Typosquatting to Realistic Package Impersonation

Infosecurity Magazine Archived May 28, 2026 ✓ Full text saved

Most malicious open source packages now mimic real code rather than rely on typosquatting

Full text archived locally
✦ AI Summary · Claude Sonnet


    Most malicious open source packages have moved beyond misspelling popular project names, instead disguising themselves as plausible plugins, configs and helpers that fit naturally into a developer's workflow. That is the central finding of new analysis by Sonatype, which examined 4309 malicious packages and found that 91% used naming-variant tactics rather than classic typosquatting. Only 9% depended on the spelling slips that traditional defenses are built to catch. The shift matters because these packages are not harmless lookalikes. The most common behaviors were host and secrets exfiltration, followed by droppers and backdoors, turning a routine install into a route for credential theft and follow-on compromise. Borrowing the Language of Real Code Rather than copying a trusted name letter-for-letter, attackers now increasingly build names that look adjacent to a legitimate project. Sonatype recorded suffix addition as the single most common tactic, accounting for 43.6% of cases, alongside prefixes, embedded target terms, dependency-confusion patterns and version mimicry. Credit: Sonatype. These names work because they feel routine. Developers expect popular frameworks to carry a long tail of plugins, software development kits (SDKs), wrappers and scoped modules, so terms like plugin, config and sdk rarely trigger suspicion, giving attackers room to hide multi-stage behavior in plain sight. "Typosquatting is table stakes now," said Brian Fox, CTO and co-founder of Sonatype. He added that attackers are copying the language, structure and habits of real software ecosystems, and that a malicious package may already sit on a developer machine by the time it has built a reputation. Credit: Sonatype. Targeting Trusted Ecosystems The activity clusters where adjacent packages are already common. React was the most-targeted ecosystem with 540 malicious packages, ahead of the ESLint plugin and config ecosystem and Tailwind's library of add-ons, with crypto and DeFi tooling also featuring heavily. Read more on similar threats: Researchers Uncover 454,000+ Malicious Open Source Packages Credit: Sonatype. Sonatype also pointed to evidence of industrialization, with the same naming tactics, infrastructure and identities reused across multiple package families rather than appearing as one-off attempts. Defenders, the cybersecurity vendor argued, should assess suspicious packages at the campaign and publisher levels, not one package at a time. The takeaway for security teams is that typo detection and static reputation checks are no longer enough. Sonatype urged organizations to add friction for first-seen dependencies, scrutinize anything that looks framework-adjacent and weigh naming patterns and publisher behavior before a component enters the build.
    💬 Team Notes
    Article Info
    Source
    Infosecurity Magazine
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗