Phylum routinely identifies malware and other software supply chain attacks targeting high-value, critical assets: an organization’s software developers. Most recently, we’ve reported on a flurry of sophisticated attacks targeting JavaScript developers, respawning malware on PyPI, and were the first to identify North Korean state actors publishing malicious packages
Another way to mitigate type squatting would be namespacing crates. Much easier to verify who owns the package and related packages
Doesn’t really help: what if you typo the namespace instead? Same exact issue. Namespaces are useful for other things though, but not security.