From 2208ecb335f7895c658cd291e7822d98b1f8b493 Mon Sep 17 00:00:00 2001
From: Nikhil <tad.areas_0y@icloud.com>
Date: Tue, 5 May 2026 04:07:30 +0100
Subject: [PATCH] fix: catch npm case-sensitive typosquats

---
 guarddog/analyzer/metadata/npm/typosquatting.py | 10 ++++++++--
 tests/analyzer/metadata/test_typosquatting.py   |  3 ++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/guarddog/analyzer/metadata/npm/typosquatting.py b/guarddog/analyzer/metadata/npm/typosquatting.py
index ea639aeef..2386c320f 100644
--- a/guarddog/analyzer/metadata/npm/typosquatting.py
+++ b/guarddog/analyzer/metadata/npm/typosquatting.py
@@ -76,9 +76,15 @@ def detect(
 
     def _get_confused_forms(self, package_name) -> list:
         """Gets confused terms for npm packages.
-        Currently, there are no confused terms for npm packages.
+        Older npm packages may use uppercase letters, while new packages must be
+        lowercase. Treat the lowercase form as confusingly similar so packages
+        like "jsonstream" can be flagged against "JSONStream".
         """
-        return []
+        lowercase_package_name = package_name.lower()
+        if lowercase_package_name == package_name:
+            return []
+
+        return [lowercase_package_name]
 
 
 if __name__ == "__main__":
diff --git a/tests/analyzer/metadata/test_typosquatting.py b/tests/analyzer/metadata/test_typosquatting.py
index 5a699d41e..0c8e66965 100644
--- a/tests/analyzer/metadata/test_typosquatting.py
+++ b/tests/analyzer/metadata/test_typosquatting.py
@@ -37,7 +37,8 @@ class TestTyposquatting:
         ("wich-boxed-primitive", "which-boxed-primitive"),
         ("twetnacl", "tweetnacl"),
         ("jest-watchers", "jest-watcher"),
-        ("shpk", "sshpk")
+        ("shpk", "sshpk"),
+        ("jsonstream", "JSONStream"),
     ]
 
     golang_typosquats = [