What Is Typosquatting? Attacks and Defense

A user means to type paypal.com. They hit paypa1.com instead, with a digit 1 standing in for the letter l. The page looks identical. They enter their credentials. The attacker now has them, and the victim never noticed the address bar.

That is typosquatting: registering a name that is one keystroke or one glance away from a name people already trust, then waiting for the mistake. The name can be a domain, a package on npm or PyPI, or an email sender. The constant is deception by near-miss. The target does not click a malicious link. They make a small error, and the attacker has pre-positioned an asset to catch it.

This guide is written for defenders. It covers what typosquatting is, the permutation techniques attackers use, real campaigns against both domains and software registries, and a detection and defense workflow a SOC can actually run.

What is typosquatting?

Typosquatting is the practice of registering names that closely resemble a legitimate, well-known name, exploiting common typing errors and visual confusion to redirect traffic, harvest credentials, or deliver malware. It is also called URL hijacking or, in the software world, dependency confusion's sibling problem.

The mechanics are simple. An attacker enumerates the predictable ways a target name gets mistyped or misread, registers those variants before anyone else, and points them at infrastructure that serves the attacker's goal. A lookalike domain might host a credential-harvesting clone. A lookalike package might run a malicious install script. A lookalike email domain might send invoices that get paid.

The reason it works is timing and trust. The victim already trusts the real name, so they do not scrutinize the fake. And a freshly registered lookalike has no reputation history, so reputation-based filters that block known-bad domains have nothing to match against until victims are already being hit. That gap, between registration and the first detection, is the window the attacker lives in.

Typosquatting is a form of cybersquatting. The broader category covers registering any domain that trades on someone else's trademark in bad faith. Typosquatting is the subset that specifically targets human error rather than, say, holding a brand-name domain for ransom.

How a typosquatting attack works

The attack runs in four stages, and each one is an opportunity for a defender to intervene.

1. Target selection. The attacker picks a name worth impersonating: a bank, a SaaS login portal, a popular open-source package, a payroll vendor. High traffic and high trust make the best targets.
2. Permutation. The attacker generates lookalike variants of the name using known mutation patterns (covered below). Tools automate this, producing hundreds of candidates from one seed name.
3. Registration and staging. The attacker registers available variants and stands up infrastructure: a cloned login page, a malicious package version, a mail server with matching SPF and DKIM records to pass authentication checks.
4. Activation. The asset goes live and waits. Some campaigns drive traffic with phishing emails that embed the lookalike link. Others rely purely on organic typos and search-engine slips. Software typosquats wait for a developer to fat-finger an install command.

The defender's leverage is highest at stages two and three. If you can predict the permutations an attacker will generate, you can monitor for those exact registrations and catch the asset while it is still staging, before activation.

Typosquatting techniques and permutation patterns

"Typosquatting" is often used loosely to cover a family of lookalike-name techniques. Knowing them by name matters, because each one needs a different detection rule.

A few of these deserve a closer look.

Homoglyph and IDN homograph attacks are the hardest for a human to catch. The digit 1 for a lowercase l, a zero for an uppercase O, the Cyrillic а (U+0430) for the Latin a: these render almost identically in most fonts. Internationalized domain names let attackers register names in non-Latin scripts, and the browser displays the Unicode while the actual registration is an ASCII Punycode string starting with xn--. A domain that shows as аpple.com may really be xn--pple-43d.com.

Bitsquatting does not rely on a human typo at all. It exploits rare hardware memory errors that flip a single bit, turning one character of a cached domain name into another. The attacker registers the bit-flipped variant and collects the traffic from the small fraction of requests that get corrupted in transit.

Combosquatting uses no misspelling. The brand name is spelled correctly, with an extra word bolted on: paypal-secure.com, microsoft-support.net. Because the brand string is intact, naive string-matching misses it, which is exactly why it works.

Typosquatting in the software supply chain

Domains are the classic target, but the higher-impact version of typosquatting today hits software package registries. A developer who types pip install colorama correctly is safe. A developer who types colourama, with the British spelling, may install malware. The blast radius is larger than a single phished user because the malicious code runs in build pipelines, developer machines, and anything that depends on the compromised package.

Documented cases:

• crossenv (npm, 2017). A typosquat of the popular cross-env package, published in July 2017 and disclosed in early August. It exfiltrated environment variables, which often hold credentials and tokens, to a server controlled by the attacker. npm removed roughly forty related packages from the same author.
• colourama (PyPI, 2018). A typosquat of colorama carrying a Windows clipboard hijacker that swapped copied cryptocurrency wallet addresses for the attacker's, redirecting payments.
• lodahs (npm, 2019). A typosquat of lodash, the most-depended-on package on npm, built to steal cryptocurrency wallet credentials. Tracked as CVE-2019-19771.

This is a software supply chain attack delivered through a name collision rather than a compromised maintainer account. The defense is different from domain typosquatting, and we cover it below.

A newer twist is slopsquatting. Coined by Seth Larson of the Python Software Foundation in 2025, it targets package names that AI coding assistants hallucinate. When an LLM confidently suggests import requestz or recommends installing a package that does not exist, an attacker who has pre-registered that hallucinated name catches the developers who paste the suggestion without checking. Research presented in 2025 found that open-source models hallucinated package names at meaningfully higher rates than commercial ones, which gives attackers a predictable list of names to squat.

Why typosquatting is hard to detect

Three properties make typosquatting evade standard controls.

Zero reputation. A lookalike domain registered yesterday has no history. Blocklists and reputation scores, the backbone of most email and web filtering, are built from observed bad behavior. A brand-new typosquat has none yet, so it sails through until enough victims report it. By then the campaign may be over.

Legitimate-looking infrastructure. Attackers configure valid TLS certificates (free, automated, and instant), set up SPF, DKIM, and DMARC on lookalike mail domains, and clone the real site pixel-for-pixel. Every individual signal a user might check looks correct.

Human-error trigger. Nothing has to be clicked. The victim initiates the contact by mistyping. There is no malicious payload in an inbound message to scan, because the message often does not exist.

The practical consequence: you cannot wait for a typosquat to misbehave and then block it. You have to find it at registration.

How to detect and defend against typosquatting

Detection and defense split into two tracks: domains and software packages.

Detecting lookalike domains

• Generate your own permutations and monitor them. Run a permutation engine like dnstwist (open-source, actively maintained) against your own brand names. It produces the same variants an attacker would and checks which are registered, resolving, or serving content. Schedule it and alert on new registrations.
• Watch Certificate Transparency logs. Every publicly trusted TLS certificate is logged to public CT logs, standardized in RFC 6962. Subscribe to a CT-log feed and alert when a certificate is issued for any string close to your brand. This often surfaces a lookalike during staging, before it sends a single email.
• Use string-similarity scoring. Damerau-Levenshtein edit distance (insertions, deletions, substitutions, and transpositions) gives you a numeric "how close is this to my brand" score for triaging newly observed domains in passive DNS and proxy logs.
• Mine passive DNS and proxy telemetry. Hunt for resolutions and outbound requests to domains within a small edit distance of your high-value names. A handful of internal users resolving examp1e.com is a lead.

Defending software dependencies

• Pin and verify. Use lockfiles that pin exact versions and integrity hashes (package-lock.json, poetry.lock). A hash mismatch stops a swapped package.
• Proxy through a private registry. Route installs through a registry proxy that can allowlist known-good packages and block typosquats before they reach a developer's machine.
• Check names at install time. Add CI checks that flag dependencies within a short edit distance of popular packages, and verify that any AI-suggested package actually exists and is the one you meant before adding it.

Reducing your own attack surface

• Defensively register the obvious typos. Buy the highest-probability permutations of your brand and the common TLD swaps yourself, and redirect them to your real site. It is cheaper than an incident.
• Pursue takedowns. When you find an active typosquat, file under ICANN's Uniform Domain-Name Dispute-Resolution Policy (UDRP) or, in the United States, under the Anticybersquatting Consumer Protection Act of 1999. Both give trademark holders a path to seize or kill an infringing domain.

Frequently asked questions

What is typosquatting?

Typosquatting is registering a domain, package, or sender name that closely resembles a trusted one, exploiting typos and visual confusion to harvest credentials, deliver malware, or redirect payments. The victim makes a small error and lands on attacker-controlled infrastructure that was pre-positioned to catch it.

What is the difference between typosquatting and cybersquatting?

Cybersquatting is the broad practice of registering domains that trade on someone else's trademark in bad faith. Typosquatting is the specific subset that targets human error, registering misspellings and lookalikes of a trusted name so that mistypes land on the attacker. All typosquatting is cybersquatting, but cybersquatting also includes tactics like holding a brand-name domain for ransom.

What is an example of a typosquatting attack?

paypa1.com, using the digit 1 in place of the letter l, is a classic domain example used to clone a login page. In software, the colourama package on PyPI typosquatted the real colorama package and ran a cryptocurrency clipboard hijacker on Windows machines that installed it.

Is typosquatting illegal?

In many jurisdictions, yes, when it infringes a trademark in bad faith. In the United States the Anticybersquatting Consumer Protection Act of 1999 lets trademark holders sue, and ICANN's UDRP provides an administrative process to dispute and seize infringing domains worldwide. Criminal charges can also follow when typosquatting is used for fraud or malware delivery.

How do you detect typosquatting domains?

Generate the permutations of your own brand names with a tool like dnstwist and monitor which ones get registered, watch Certificate Transparency logs for certificates issued to lookalike strings, and score newly observed domains in your DNS and proxy logs by edit distance to your high-value names. The goal is to catch the lookalike at registration, not after it attacks.

What is slopsquatting?

Slopsquatting is a 2025 variant where attackers register package names that AI coding assistants hallucinate. When an LLM suggests a non-existent package, an attacker who has pre-registered that name catches developers who install the suggestion without verifying it exists.