Interlace ESLint
ESLint Interlace
Secure CodingRules

detect-suspicious-dependencies

This rule detects package imports that look like typosquatting attempts on popular npm packages. Typosquatting is a supply chain attack where malicious actors p

Detect typosquatting attacks in npm package imports

Rule Details

This rule detects package imports that look like typosquatting attempts on popular npm packages. Typosquatting is a supply chain attack where malicious actors publish packages with names similar to popular packages.

OWASP Mobile Top 10: M2 - Inadequate Supply Chain Security
CWE: CWE-506 - Embedded Malicious Code
Severity: error

Examples

❌ Incorrect

// Typosquatting on 'react'
import React from 'reakt';

// Typosquatting on 'lodash'
import _ from 'lodsh';

// Typosquatting on 'express'
import express from 'expres';

// Typosquatting on 'axios'
import axios from 'axois';

✅ Correct

// Official packages
import React from 'react';
import _ from 'lodash';
import express from 'express';
import axios from 'axios';

// Scoped packages are safe
import { something } from '@myorg/react-utils';

// Relative imports are safe
import { helper } from './utils';

How It Works

The rule uses Levenshtein distance to detect packages with names similar to popular packages:

  • react, lodash, express, axios, webpack

If a package name is within 2 edits of a popular package name, it's flagged as suspicious.

When Not To Use It

  • Your project uses legitimately named packages that happen to be similar to popular ones
  • You've verified the package is not malicious

Configuration

{
  rules: {
    'secure-coding/detect-suspicious-dependencies': 'error'
  }
}

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Values from Variables

Why: Values stored in variables are not traced.

// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);

Mitigation: Validate all user inputs.

Wrapper Functions

Why: Custom wrappers not recognized.

// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internally

Mitigation: Apply rule to wrapper implementations.

Dynamic Invocation

Why: Dynamic calls not analyzed.

// ❌ NOT DETECTED - Dynamic
obj[method](userInput);

Mitigation: Avoid dynamic method invocation.

Further Reading

Category: Mobile Security / Supply Chain
Type: Problem
Recommended: Yes

detect-rag-injection-risks

Detect RAG/document inputs reaching LLM without content scanning.

detect-weak-password-validation

Detects weak password length requirements (less than 8 characters) in validation code.

On this page

Rule DetailsExamples❌ Incorrect✅ CorrectHow It WorksWhen Not To Use ItConfigurationKnown False NegativesValues from VariablesWrapper FunctionsDynamic InvocationFurther ReadingRelated Rules