detect-suspicious-dependencies
ESLint rule documentation for detect-suspicious-dependencies
📡 Live from GitHub — This documentation is fetched directly from detect-suspicious-dependencies.md and cached for 6 hours.
Detect typosquatting attacks in npm package imports
This rule detects package imports that look like typosquatting attempts on popular npm packages
Rule Details
This rule detects package imports that look like typosquatting attempts on popular npm packages. Typosquatting is a supply chain attack where malicious actors publish packages with names similar to popular packages.
OWASP Mobile Top 10: M2 - Inadequate Supply Chain Security
CWE: CWE-506 - Embedded Malicious Code
Severity: error
Examples
❌ Incorrect
// Typosquatting on 'react'
import React from 'reakt';
// Typosquatting on 'lodash'
import _ from 'lodsh';
// Typosquatting on 'express'
import express from 'expres';
// Typosquatting on 'axios'
import axios from 'axois';✅ Correct
// Official packages
import React from 'react';
import _ from 'lodash';
import express from 'express';
import axios from 'axios';
// Scoped packages are safe
import { something } from '@myorg/react-utils';
// Relative imports are safe
import { helper } from './utils';How It Works
The rule uses Levenshtein distance to detect packages with names similar to popular packages:
react,lodash,express,axios,webpack
If a package name is within 2 edits of a popular package name, it's flagged as suspicious.
When Not To Use It
- Your project uses legitimately named packages that happen to be similar to popular ones
- You've verified the package is not malicious
Configuration
{
rules: {
'secure-coding/detect-suspicious-dependencies': 'error'
}
}Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Further Reading
- OWASP Mobile Top 10 - M2 Inadequate Supply Chain Security
- CWE-506: Embedded Malicious Code
- npm Typosquatting Attacks
Related Rules
lock-file- Ensure dependency versions are lockedrequire-dependency-integrity- Verify package integrityno-dynamic-dependency-loading- Prevent dynamic package loading
Category: Mobile Security / Supply Chain
Type: Problem
Recommended: Yes