Typosquatting in Third-Party Scripts: The New Supply Chain Frontier

Just caught the latest report on how typosquatting is evolving, and it’s not just a user education issue anymore. We're seeing AI-generated lookalike domains embedded directly inside legitimate third-party JavaScript libraries. It’s a supply chain nightmare.

Because the malicious domain is called from within a trusted script, the request originates from the user's browser to a destination that often has valid SSL/TLS. Your standard WAF might miss it because the traffic looks like standard user behavior.

I've been exploring ways to detect this proactively. Visual inspection is impossible given the volume of dependencies. I'm currently testing a Python script to scan our known script endpoints against potential variations using Levenshtein distance.

First, install the dependencies:

pip install python-Levenshtein tldextract


Then, you can run a check against your inventory of loaded scripts:

import tldextract
from Levenshtein import distance

def check_typosquat(url, target="google-analytics", threshold=2):
    ext = tldextract.extract(url)
    # Check if the registered domain is close to the target
    if distance(ext.domain, target)  {ext.domain}")
        return True
    return False

# Example check
check_typosquat("https://www.gooogle-analytics.com/track.js")

This is just a basic layer, though. Has anyone had success using browser-side injection monitors or specific CSP rule-sets to catch these AI-generated domains before they connect?