
Show HN: Tool for spotting npm typosquatting - dankent
https://www.npmjs.com/package/check-typosquatters
======
dankent
Following the earlier discussion
([https://news.ycombinator.com/item?id=14901566](https://news.ycombinator.com/item?id=14901566))
about the malicious crossenv package, I've knocked together a quick tool that
might help to spot such typosquatting:

[https://www.npmjs.com/package/check-
typosquatters](https://www.npmjs.com/package/check-typosquatters)

(It's the first time I've published anything to npm so let me know if I have
done anything wrong...)

It uses the list of package names from the all-the-package-names package and
returns the 10 packages with the most similar names to the supplied parameter
(using Levenshtein distance)

It also displays their rank based on dependent packages to give an idea of how
they compare in usage.

It uses a package of package names that is updated daily.

Could a tool like this help to avoid installing a typosquatting package rather
than the intended one?

I wonder whether a wrapper for npm install that warns if there is a higher
ranked package within a small Levenshtein might be more useful.

------
fiatjaf
nice tool please download and install [https://www.npmjs.com/package/check-
typosquaters](https://www.npmjs.com/package/check-typosquaters) very good

(Just kidding.)

