AI coding assistants have become indispensable — and that's precisely the problem. Millions of developers now rely on tools like GitHub Copilot, Cursor AI, and ChatGPT to generate code faster than ever. But buried inside those convenient suggestions is a silent threat that security teams are only beginning to fully reckon with: slopsquatting.
A new class of supply chain attacks named 'slopsquatting' has emerged from the increased use of generative AI tools for coding and the model's tendency to "hallucinate" non-existent package names.
It's stealthy, scalable, and shockingly easy to exploit — and if your team is using AI-assisted development without the right safeguards, you're already exposed.
What Is Slopsquatting?
The term combines "AI slop" and "typosquatting," a deceptive practice where attackers register misspelled or lookalike versions of popular domains to prey on users who enter URLs incorrectly.
But slopsquatting is a fundamentally different beast.
The term was coined by security researcher Seth Larson as a spin on typosquatting, an attack method that tricks developers into installing malicious packages by using names that closely resemble popular libraries. Unlike typosquatting, slopsquatting doesn't rely on misspellings.
Instead,
slopsquatting is a term first coined by Seth Larson, a security developer-in-residence at the Python Software Foundation. Instead of relying on a user's mistake, as in typosquats, threat actors rely on an AI model's mistake.
Large language models do not look up packages. They predict tokens that are statistically likely to follow a coding context. When the right answer is uncertain, the model fills the gap with something that looks plausible: an author name that follows naming conventions, a DOI that is well-formed, a package name that fits the ecosystem.
The Scale of the Problem: What the Research Shows
This isn't a theoretical edge case. The numbers are alarming.
The scale of the underlying hallucination problem was quantified in the academic paper "We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs," presented at USENIX Security 2025 by researchers at the University of Texas at San Antonio, the University of Oklahoma, and Virginia Tech. The researchers generated 2.23 million code samples using 16 popular code-generating models across Python and JavaScript. Of those samples, 440,445 — 19.7% — contained at least one hallucinated package name. Across those hallucinations, the study identified 205,474 unique fabricated package names.
What makes slopsquatting truly dangerous, however, is not just the volume — it's the repeatability.
43% of those hallucinated package names were consistently reproduced across similar prompts, and 58% reappeared at least once within ten runs of the same query. This reproducibility means attackers can map predictable hallucinations in advance.
Once attackers identify which fictitious package names appear frequently across multiple prompts, they register those names in public repositories like npm or PyPI with malicious payloads.
The trap is set. All that's needed is for a developer to run pip install or npm install on the AI's recommendation.
Not all AI models carry the same risk.
Hallucination rates vary considerably by model class. Open-source models produced hallucinated packages at an average rate of 21.7%, while commercial models averaged 5.2%. Models in the CodeLlama family exceeded a 33% hallucination rate in some configurations. GPT-4 Turbo achieved the lowest measured rate in the study at 3.59%. These differences are significant for organizational policy, but even the best-performing commercial models hallucinate at rates sufficient to represent a meaningful, persistent risk at scale.
How a Slopsquatting Attack Actually Unfolds
The anatomy of a slopsquatting attack is deceptively simple:
The slopsquatting attack unfolds through a calculated exploitation of AI development workflows. Attackers monitor AI code generation patterns across popular platforms, identifying frequently hallucinated package names. When developers ask AI assistants for help with specific tasks, the AI often suggests realistic-sounding but non-existent packages.
Attackers register the most promising names on npm, PyPI, RubyGems, crates.io, or any registry that allows public publication. Each registered package contains a working facade and a malicious payload, typically credential exfiltration or environment variable theft on install.
The hallucinated names aren't random gibberish — they're dangerously convincing.
Research from USENIX Security 2025 classified hallucinated package names into three categories: conflations (38%), in which the model merges two real package names; typo variants (13%), which closely resemble real packages; and pure fabrications (51%), which are contextually plausible but entirely invented.
A developer reviewing AI-generated code who is unfamiliar with a specific package has no obvious signal that react-codeshift is not a real, widely-used tool. This plausibility is precisely what makes slopsquatting viable where a random typosquatting attempt might raise suspicion.
Real-World Incidents: From Theory to Active Threat
Slopsquatting is no longer a theoretical risk.
Confirmed real-world cases are emerging.
In January 2026, security researcher Charlie Eriksen found that AI coding agents had already spread instructions referencing a hallucinated npm package, react-codeshift (a name that plausibly conflates two real tools, jscodeshift and react-codemod), across 237 repositories, with agents still attempting to install it daily. Eriksen registered the name himself, defensively, before an attacker could weaponise it.
Separately, a real malicious package named unused-imports, hallucinated in place of the legitimate eslint-plugin-unused-imports, was still recording roughly 233 weekly downloads in early 2026 despite npm placing it under a security hold — a sign of how long a slopsquatting attack can keep drawing victims even after it's been flagged.
Why Agentic AI Makes This Dramatically Worse
The slopsquatting problem is bad enough when a human developer is in the loop. The rise of autonomous AI coding agents takes the risk to an entirely different level.
Traditional slopsquatting required a human developer to review AI-generated code, notice a package recommendation, and choose to install it — providing at least an implicit checkpoint.
AI coding agents make it worse by installing dependencies autonomously, so the poisoned package executes before a human reviews anything.
As security researcher Andrew Nesbitt observed in April 2026, agents resolve packages programmatically without a human glancing at the name to notice something is off. An agent tasked with building a feature will generate the code, identify its own generated dependencies, and invoke the package manager — often without any step in that sequence
being reviewed by a human eye.
And the threat is evolving further.
In July 2026, researchers described a related technique, dubbed "HalluSquatting," that chains an AI hallucination with a prompt injection so that an AI coding agent fetching a hallucinated resource on a user's behalf can be hijacked into running attacker-supplied code, extending the evolution of slopsquatting from a passive install risk into an active remote-code-execution vector inside agentic development workflows.
CISA, the NSA, and the Five Eyes partners published a joint advisory on AI agent supply chain risk in early 2026. The Stanford AI Index lists it among the top three new attack surfaces for autonomous agents.
Practical Tips: How to Protect Your Team Right Now
The good news is that slopsquatting is defendable. It requires a layered approach, combining technology, process, and developer education.
Mitigating this threat requires a layered security approach, combining best practices such as provenance tracking (via Software Bills of Materials), automated vulnerability scanning, sandboxed installations, real-time package validation, and human oversight to secure AI-driven development pipelines.
Here's what you can act on immediately:
- Verify every AI-suggested package manually.
Visit PyPI, npm, or GitHub before installing and check the package age, as new packages are riskier. Then check for the download counts, stars, issue history, and recent activity.
- Enforce SBOM generation in your CI/CD pipeline.
Organizations should produce and maintain SBOMs for all AI-generated codebases entering production. SBOMs provide traceability when a malicious package is later identified and enable rapid impact assessment across the portfolio. SBOM generation should be a mandatory step in CI/CD pipelines for any project with AI-assisted development.
-
Pin your dependencies with lockfiles. Enforce lockfile integrity across all projects so that only explicitly approved package versions can be installed, removing opportunistic substitution.
-
Sandbox new package installations.
When automatic package installs are unavoidable, enforce strict sandbox controls: run AI-suggested installations within disposable containers or lightweight VMs to isolate and contain host compromise.
- Deploy real-time scanning tools.
Use tools like Snyk, Dependabot, or Socket.dev to flag vulnerable packages before you install them.
- Establish a dependency allowlist.
Create approved package registries and restrict installations to vetted sources only.
- Lower your LLM temperature for code generation tasks.
Industry reporting suggests a measurable correlation between higher temperature settings — which increase output randomness — and higher hallucination rates. Where tooling allows, lowering temperature for code generation tasks is a low-cost mitigation.
- Train your developers.
Educate engineering teams on slopsquatting risks and enforce policies mandating dependency vetting, signature verification, and routine incident-response drills.
Conclusion: Trust Your Tools — But Verify Their Output
AI coding assistants are here to stay, and they deliver genuine productivity gains. But
according to a study by GitHub, more than 97% of developers surveyed said they had used AI-coding tools at least once in their work. Black Duck's experts note that most developers don't fully understand the risks involved in using AI-generated code.
That knowledge gap is exactly what slopsquatting exploits.
LLM coding assistants accelerate development but introduce a critical software supply-chain vulnerability: AI-generated "hallucinated" dependencies. Threat actors exploit this by registering these non-existent package names, creating direct pathways for malicious code injection. Critically, existing controls like SBOMs and standard vulnerability scanning may fail to detect this specific vector, creating an assurance gap that boards and regulators expect auditors to address.
The era of blindly trusting AI-generated code is over. Now is the time to audit your AI-assisted development workflows, implement dependency verification gates, and ensure your security posture is built for the AI age. Start with one practical step today — verify the next AI-suggested package before you install it. Your software supply chain depends on it.



