To address the challenges of detecting both active and stealthy typosquatting attacks in software supply chains—namely, high false-positive rates and weak cross-ecosystem support—this paper proposes TypoSmart, a robust detection system. Methodologically, TypoSmart (1) models attack patterns empirically using real-world package registry data; (2) employs a unified feature representation and embedded similarity search across six major ecosystems—including npm and PyPI; and (3) integrates engineering-informed heuristics to suppress false positives. Evaluation demonstrates that TypoSmart achieves 73–91% faster detection and reduces false positives by 70.4% compared to state-of-the-art baselines. Deployed at scale in collaboration with an industry partner, it identified and facilitated the removal of 3,658 malicious packages within a single month. These results underscore TypoSmart’s effectiveness in enhancing both the security posture and operational practicality of package registries.

Typosquatting attacks, also known as package confusion attacks, threaten software supply chains. Attackers make packages with names that resemble legitimate ones, tricking engineers into installing malware. While prior work has developed defenses against typosquatting in some software package registries, notably npm and PyPI, gaps remain: addressing high false-positive rates; generalizing to more software package ecosystems; and gaining insight from real-world deployment. In this work, we introduce TypoSmart, a solution designed to address the challenges posed by typosquatting attacks. We begin by conducting a novel analysis of typosquatting data to gain deeper insights into attack patterns and engineering practices. Building on state-of-the-art approaches, we extend support to six software package registries using embedding-based similarity search, achieving a 73%-91% improvement in speed. Additionally, our approach significantly reduces 70.4% false-positive compared to prior work results. TypoSmart is being used in production at our industry partner and contributed to the removal of 3,658 typosquatting packages in one month. We share lessons learned from the production deployment.