Cisco NVM - Installation of Typosquatted Python Package

This analytic detects suspicious python package installations where the package name resembles popular Python libraries but may be typosquatted or slightly altered. Typosquatting is a common technique used by attackers to trick users into installing malicious packages that mimic legitimate ones. This detection leverages Cisco NVM flow telemetry and checks for pip or poetry package managers with the "install" or "add" flags, making outbound connections to package repository such as `pypi.org` with known or suspected typo package names.