SUP-NPM-TYPOSQUATInitial Access

npm / PyPI / RubyGems Typosquat

Publish a package with a near-miss name (lodahs, expresss, requessts) — install scripts fire on every npm install.

§ Where this technique fits

SUP-NPM-TYPOSQUAT is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

npm typosquat → developer workstation → corporate VPN
Publish a typosquat npm package; the developer's `npm install` runs the postinstall script, exfils SSH keys + VPN profile, then connects to the corporate network.
step 1 / 6
Leaked GitHub PAT → org takeover → supply-chain push
A maintainer's PAT lands in a public Gist (or a Docker image layer). The token has repo + workflow scopes — push a malicious commit to a popular package, fire the auto-publish workflow.
step 5 / 6

§ What commonly comes next

01
Malicious Install Script
SUP-INSTALL-SCRIPT · Execution
seen 2×

§ Where this technique fits

§ Dossiers chaining this technique

npm typosquat → developer workstation → corporate VPN

Leaked GitHub PAT → org takeover → supply-chain push

§ What commonly comes next