In a new post to his site Jordi Boggiano, lead developer on Composer and Packagist.org, talks about typo-squatting and Packagist, a trend that has come up in other communities but - so far - not as much in the PHP ecosystem.
Earlier this month an article was published summarizing Nikolai Philipp Tschacher's thesis about typosquatting. In short typosquatting is a way to attack users of a package manager by registering a package with a name similar to a popular package, hoping that someone will accidentally typo the name and end up installing your version of it that contains malware.The thesis mentions https://packagist.org as a good example as we use vendor namespaces. [...] Despite this mitigating fact, it is still technically possible to squat the vendor name, so I wanted to take a look at our repository data and see if I could spot any bad actors.
He wrote a script on the current contents of the Packagist site to see if he could find any packages that were trying to take advantage of typosquatting. He describes what the script does and the results: a low number of issues where it mostly seemed to be user error, not malicious behavior.