In March 2017, a security researcher uploaded roughly 40 typosquatted packages to PyPI with names like python3-dateutil, urllib-3, and beautfulsoup4 — deliberate misspellings of popular libraries such as python-dateutil, urllib3, and beautifulsoup4. The proof-of-concept packages phoned home every time a developer mistyped pip install and got them by mistake, and PyPI removed them only after the researcher disclosed the experiment. That 2017 stunt previewed a technique that has since become a standing feature of the Python ecosystem: attackers register a package name one keystroke away from a popular one, wait for developer typos and copy-paste errors, and ship malware through the resulting installs. With PyPI now hosting more than 600,000 projects and pip offering no built-in name-similarity warnings, typosquatting remains one of the cheapest, highest-yield attacks against the Python supply chain.
What Is PyPI Typosquatting?
PyPI typosquatting is the practice of publishing a malicious package under a name that closely resembles a legitimate, popular package, betting that developers will install the wrong one by mistake. The technique exploits simple human error rather than any vulnerability in PyPI's infrastructure. Common patterns include single-character swaps (reqeusts for requests), added or removed hyphens and underscores (python-json for python_json), pluralization tricks (beautifulsoup vs. beautifulsoup4), and homoglyph substitutions where a capital "I" replaces a lowercase "l" — as seen in the 2023 jeIlyfish package impersonating the legitimate jellyfish library. Because pip install executes a package's setup.py at install time, a single mistyped command can run arbitrary code before a developer ever imports the module.
How Do Attackers Pick Names That Fool Developers?
Attackers pick names using predictable string-distance tricks, not guesswork, because they can automate the process against PyPI's full package index. Documented techniques include: omission (dropping a letter, e.g. urllib3 to urllib), repetition (requessts), transposition (opencv-pyhton), substitution of visually similar characters (0 for o, 1 for l), and separator swaps between hyphens, underscores, and dots — which matter because PyPI normalizes some of these but pip resolution and internal package indexes don't always agree. Researchers at Datadog and North Carolina State University have both published typosquat-detection studies showing that a Damerau-Levenshtein edit distance of 1 or 2 from a top-5,000 PyPI package catches the overwhelming majority of real-world squats, which is exactly why automated scanners can flag candidate names faster than any manual review.
What Malicious Packages Have Been Caught on PyPI?
Several well-documented campaigns show the pattern playing out at scale. In October 2022, Checkmarx researchers uncovered more than two dozen PyPI packages — including colorwin, pyefile, and twyne — mimicking legitimate libraries to distribute the W4SP Stealer, which harvested Discord tokens, browser credentials, and cryptocurrency wallet data. In late 2022, a package named colourama (a near-miss of the widely used colorama) was found silently swapping clipboard contents to redirect cryptocurrency payments to attacker-controlled wallets. In December 2022, the torchtriton incident showed a variant of the same root problem — dependency confusion rather than pure typosquatting — when a malicious package uploaded to PyPI shadowed a PyTorch nightly-build dependency name and was pulled automatically by CI systems. And Sonatype's 2023 State of the Software Supply Chain report counted 245,032 malicious open-source packages discovered that year across npm, PyPI, and other registries — more than double the combined total from all prior years tracked in the report, with typosquats and dependency-confusion packages among the most common tactics.
Why Does pip Make Typosquatting So Effective?
pip makes typosquatting effective because it has no built-in namespace verification, similarity warning, or reserved-name protection — it installs whatever name you give it, correct or not. Unlike ecosystems that support scoped packages (npm's @org/package convention, for instance), PyPI's flat namespace means requests and requesocks live in the exact same lookup space with no visual or structural signal that one is unofficial. Combine that with setup.py's ability to execute arbitrary Python at install time — well before any application code runs — and a single pip install reqeusts typo can compromise a developer workstation or CI runner in under a second. PyPI has added some mitigations, including a 2023 policy that temporarily froze new user registration and new project creation for about 10 hours after a flood of malware uploads, but the core namespace and install-time execution model haven't changed.
How Can Teams Detect and Prevent Typosquatted Packages?
Teams can detect and prevent typosquatting by combining registry-level hygiene with automated scanning at the point packages enter a build. Practical controls include: pinning exact package versions and hashes in requirements.txt or lockfiles rather than relying on loose version ranges; using private package indexes with allowlists so CI can't silently pull an unreviewed public package; running install-time name-similarity checks against your declared dependency set before code execution; and auditing new or renamed dependencies during code review rather than trusting whatever pip freeze produces. Organizations with more than a handful of Python services also benefit from continuously diffing their actual dependency tree — including transitive dependencies pulled in without a direct entry in requirements.txt — against known-malicious package databases, since a single junior engineer's typo three layers deep in a dependency graph can be invisible to manual review.
How Safeguard Helps
Safeguard closes the gap that manual dependency review leaves open by continuously scanning every PyPI package entering your build — direct and transitive — against known-malicious and typosquat-pattern signatures, then using reachability analysis to show whether a flagged package's risky code path is actually exercised by your application rather than just present in the tree. Griffin AI, Safeguard's detection engine, correlates install-time behavior, name-similarity scoring, and publisher history to catch novel typosquats before they're added to public threat feeds. Safeguard also generates and ingests SBOMs so security teams have an accurate, versioned record of what's actually running in production, and when a malicious or typosquatted package is confirmed, Safeguard opens an auto-fix pull request that swaps in the correct dependency and pins its verified hash — cutting remediation from a multi-day audit to a single review-and-merge.