Slopsquatting: AI Hallucinated Packages

The supply chain attack surface that emerged from the AI coding era has a new entry point, and it operates on a mechanism that existing supply chain defences weren’t designed to address.

Socket.dev researchers coined the term “slopsquatting” earlier in 2026 to describe a specific attack pattern: an LLM-based coding assistant suggests a package that doesn’t exist, and an attacker registers that package name in the relevant registry, PyPI, npm, crates.io, RubyGems, before any developer realises the name was hallucinated. Any developer who copies the AI’s suggestion and runs the install command gets the attacker’s package.

Why LLMs Suggest Packages That Don’t Exist

Language models generate code by predicting plausible continuations of a programming context. They don’t query live package registries. Their knowledge of available packages is frozen at training cutoff and is, in any case, probabilistic rather than factual, the model produces the package name most statistically consistent with the context, not the package name that’s confirmed to exist.

In practice, this produces several categories of hallucination:

Confabulated variations, the model generates a name that sounds like a real package but isn’t exactly one. requests-enhanced, flask-oauth2-plus, numpy-extended. None of these are necessarily real, but all are plausible.

Versioned misreferencing, the model suggests a real package but invents a version number or import path. import langchain.agents.v2 where .v2 doesn’t exist and the actual API changed.

Merged packages, the model conflates two real packages into a name that resembles both but matches neither. Particularly common where multiple packages serve similar functions.

The hallucination rate is not a rounding error. Socket.dev’s testing found non-existent package suggestions in 20–30% of responses to prompts involving third-party library requirements across multiple tested models. The rate is lower for extremely common packages where the model has high training density. It’s substantially higher for specialised, recent, or domain-specific requirements.

The Attack Mechanics

Exploitation requires two steps: identifying a hallucinated package name that no legitimate publisher has registered, then registering it before the hallucination is widely noticed.

Attackers are automating the first step. Tools that repeatedly query AI coding assistants with variations of realistic coding prompts and cross-reference responses against live registry data can identify unregistered hallucinated names at scale. Because AI models generate consistent patterns, the same hallucinated package name tends to appear across multiple similar prompts, a name that’s hallucinated once is likely to be hallucinated many times.

Registry registration is trivially cheap. A PyPI package upload is free. Npm publication is free. Squatting a name costs nothing and requires minimal infrastructure. The economics strongly favour the attacker: minimal cost, potentially large reach if the hallucinated name is frequently suggested.

The payload can be anything a malicious Python or JavaScript package can deliver: credential exfiltration, persistent backdoor installation, environment variable harvesting, cryptominer deployment. Some documented cases have used the install hook mechanism, code that executes immediately on pip install or npm install without any import or require statement in the developer’s code.

The Supply Chain Position

What makes slopsquatting particularly problematic is that it sits at a position in the supply chain with historically weak controls.

Most organisations have some process around vetting third-party dependencies, security reviews, vulnerability scanning, licence checks. But that process typically applies to packages that appear in a pull request after a developer has already installed them. The decision to install the package, and the install itself, happens earlier and faster, often on a developer’s local machine based on an AI suggestion and a quick scan of the package description.

A convincingly named slopsquatting package can pass the casual inspection that most developers apply before installing a suggested dependency. The package might even have a legitimate-looking README auto-generated by the attacker and a small number of recent stars from sockpuppet accounts.

The attack doesn’t require compromising a legitimate package maintainer’s account, which has been the dominant software supply chain threat model for the last several years. It doesn’t require inserting malicious commits into a trusted repository. It exploits a gap between what developers expect (verified AI suggestions) and what AI coding assistants actually provide (statistically plausible suggestions that may be completely fabricated).

Current Scale and Documented Cases

Lasso Security published research in late 2025 documenting multiple instances of malicious packages matching common AI hallucination patterns, including packages in the Python ecosystem with names that recur across tested models. The packages had install counts in the hundreds to low thousands before detection, consistent with developers copying AI suggestions without verification.

Socket.dev’s threat intelligence feed has tracked an increasing volume of package registrations matching known hallucination patterns since mid-2025, with a sharp increase following wider deployment of AI coding tools in enterprise development environments.

The attack is measurably scaling with AI coding assistant adoption. GitHub Copilot, Cursor, and Claude Code collectively have millions of daily active users generating code. The suggestion-to-install pipeline for a hallucinated package can complete in minutes.

Defensive Guidance

Verify before installing. The correct response to an AI-suggested package is to confirm it exists on the registry and examine it briefly before running the install command. This takes 30 seconds and eliminates the hallucination vulnerability entirely for that package. The problem is habit: developers accustomed to trusting AI suggestions may not have built this check into their workflow.

Lock file discipline. Committing requirements.txt, package-lock.json, or cargo.lock with pinned versions to version control, and reviewing those files in pull request review, creates a checkpoint where hallucinated or suspicious packages appear. An AI-suggested package that’s a week old with 47 stars and an auto-generated README is a yellow flag at code review time.

Registry security scanning. Tools like Socket.dev, Phylum, and Snyk’s supply chain scanning include analysis of package behaviour (install hooks, obfuscated code, suspicious network calls) that can catch slopsquatting payloads before installation completes. Integrating these into CI/CD pipelines adds a layer between npm install and the developers’ machines.

Developer training. The attack is social engineering at the AI-human interface. Developers need to understand that AI coding assistants don’t query live registries and can suggest packages that don’t exist. This should be part of AI tool onboarding documentation, not an assumption that developers will discover independently.

The supply chain threat model that security teams built around dependency management was designed for an era where developers found packages through search, documentation, and peer recommendation. AI coding assistants have created a new suggestion pathway that bypasses all of that. The defences need to catch up to the new model.

References

• Socket.dev — The Rise of Slopsquatting: How AI Hallucinations Are Fueling a New Class of Supply Chain Attacks
• BleepingComputer — AI-hallucinated code dependencies become new supply chain risk
• Infosecurity Magazine — AI Hallucinations Create “Slopsquatting” Supply Chain Threat
• Trend Micro — Slopsquatting: When AI Agents Hallucinate Malicious Packages