Typosquatting when agents run npm install
Agents resolve package names from context, not careful spelling. Typosquats that humans catch in review slip through when npm install runs unsupervised.
- typosquatting
- npm
- coding-agents
Typosquatting, publishing malicious packages with names near legitimate ones, is an old npm problem. Coding agents made it worse.
Humans typo-check. Agents guess.
When a developer types npm install react, they might notice raect in the terminal output. When an agent runs install from a task description or hallucinated package name, nobody may watch the exact resolved name until much later.
The March 31, 2026 axios compromise used a sister package named plain-crypto-js near the legitimate crypto-js. Google GTIG's analysis documents that naming choice explicitly.
MCP registries face the same pattern. Researchers have documented typosquat packages such as @akoskm/create-mcp-server-stdio (CVE-2025-54994) beside legitimate server names.
npx -y removes the last pause
MCP configs commonly use:
"command": "npx",
"args": ["-y", "@some/mcp-server"]The -y flag auto-confirms install. Combined with agent-driven workflows, a typosquat can land on disk without a human pause.
Detection without pretending prevention
You cannot typosquat-proof an agent's shell. You can:
- Denylist known bad names in Fleet rules after public incidents (e.g.,
plain-crypto-jsafter March 2026) - Allowlist expected dependencies per team or repo baseline
- Diff lockfiles on heartbeat so unexpected package names surface within hours
Koban parses npm lockfiles from enrolled Macs. A new package name in the diff is a signal to investigate, not a guarantee of malice.
Same pattern, new speed
The attack class is unchanged since the event-stream incident in 2018. The install velocity is not. Agents install packages quickly, in the background, with human review as an optional downstream step.
Inventory tuned for that speed is the practical response.