Attackers Move Past Typosquatting to Realistic Package Impersonation

Sonatype's analysis of 4,309 malicious open-source packages finds attackers moving beyond simple typosquatting to use framework-adjacent, plausible names (suffixes, prefixes, SDK/plugin language) that evade traditional defenses; these packages commonly perform secrets and host exfiltration, act as droppers or backdoors, and show signs of industrialized, campaign-level reuse of infrastructure, prompting recommendations to scrutinize first-seen and framework-adjacent dependencies and evaluate publisher behavior before allowing components into builds.