
Trust is becoming one of the most valuable—and most dangerous—currencies in software development. Every time an AI coding assistant suggests a library, most developers assume it exists. That assumption is increasingly being weaponized, not by breaking into software repositories, but by waiting for AI to imagine a package that has never existed in the first place.
This emerging software supply chain threat is known as slopsquatting. It exploits one of the most familiar weaknesses of large language models: hallucination. Instead of producing a valid dependency, an AI generates a believable package name. An attacker notices the pattern, publishes a malicious package under that exact name, and patiently waits for someone—or an autonomous coding agent—to install it.
It sounds almost too simple to work. Unfortunately, security researchers have shown that it does.
How a Hallucinated Package Becomes a Real Threat
Imagine asking an AI assistant to help you process PDF files in Python. Instead of recommending an established package, it confidently suggests a fictional library such as smartpdftools. Since the name looks legitimate, you copy the installation command:
pip install smartpdftoolsIf no such package exists today, nothing happens. But if a cybercriminal has already published malware using that exact name on PyPI, the command installs malicious code instead.
This attack doesn’t require compromising an existing project, stealing maintainer credentials, or exploiting a package registry. The attacker simply turns an AI mistake into an opportunity.
Researchers from the USENIX Security Symposium analyzed more than 576,000 code samples generated by 16 popular coding models and identified over 205,000 unique hallucinated package names. Even more concerning, many of those fictitious packages appeared repeatedly across different prompts, making them predictable enough for attackers to target.
Why Consistency Makes the Problem Worse
Most people think of AI hallucinations as random mistakes. In practice, many are surprisingly consistent.
Ask similar questions in separate conversations, and the model may invent the same package repeatedly. That consistency allows attackers to build a list of likely hallucinations, register them across package repositories, and wait for developers to unknowingly install them.
Unlike traditional typosquatting, which relies on human typing errors like numpi instead of numpy, slopsquatting exploits misplaced confidence in AI-generated recommendations.
TechRadar Pro notes that the software security community now recognizes package hallucination as a growing supply chain concern, particularly as AI coding assistants become part of everyday development workflows.
The Rise of AI Coding Agents Changes Everything
Until recently, developers remained the final checkpoint. An AI could recommend a package, but a human still decided whether to install it.
That safety net is beginning to disappear.
Modern AI coding agents can generate code, install dependencies, execute scripts, and even deploy applications with limited human oversight. A hallucinated package is no longer just bad advice—it can become an automated execution path.
Picture a continuous integration pipeline where an AI agent receives a prompt to build a web application. During the process, it generates a dependency, installs it automatically, and proceeds with deployment. If that dependency happens to be a malicious package registered by an attacker, the compromise occurs long before a developer reviews the code.
This shift from AI assistance to AI autonomy dramatically increases the impact of package hallucinations.
A Familiar Lesson in a New Form
Years ago, organizations warned employees not to click suspicious email attachments because trust was being exploited. Today, developers face a similar challenge.
The difference is that the recommendation now comes from a tool they rely on every day.
A colleague once described AI-generated code as “autocomplete with confidence.” That confidence is incredibly useful when it accelerates routine work. It becomes risky when it convinces experienced developers to skip simple verification steps they would normally perform without hesitation.
The software itself isn’t malicious. The misplaced trust can be.
HalluSquatting Expands the Attack Surface
Researchers have already identified the next evolution of this technique.
Instead of hallucinating package names, some AI systems invent GitHub repositories, download links, or project URLs that do not exist. Attackers can create those repositories, populate them with malicious code, and rely on AI agents to clone and execute them automatically.
This technique, known as HalluSquatting, demonstrates that hallucinations are no longer limited to package managers. They can influence almost every stage of the software supply chain.
Coverage by Tom’s Hardware highlights how researchers successfully demonstrated these attacks against multiple AI-assisted development workflows.
How to Verify AI-Recommended Dependencies
Fortunately, reducing the risk requires discipline more than complex tooling.
- Search for the package directly on its official registry before installing it.
- Review the project’s documentation, release history, and maintainer information.
- Avoid installing dependencies that appear only in AI-generated responses but nowhere else.
- Pin dependency versions using lock files to reduce unexpected changes.
- Require human approval before AI agents execute installation commands in production environments.
- Use Software Composition Analysis (SCA) tools to scan newly introduced dependencies for known risks.
Even spending thirty seconds verifying a package on PyPI, npm, or another official registry can prevent hours—or days—of incident response.
Security Is Becoming a Verification Problem
As coding assistants continue to improve, package hallucinations will likely become less frequent. Yet even a small number of repeatable hallucinations can create lasting opportunities for attackers. Once a malicious package is published under a hallucinated name, the risk doesn’t disappear simply because future AI models become more accurate.
The broader lesson extends beyond package managers. AI-generated output should be treated as a helpful starting point rather than unquestionable truth. Whether it’s code, infrastructure configurations, or dependency recommendations, verification remains a responsibility that cannot be delegated entirely to automation.
The software supply chain has always depended on trust. AI is changing where that trust is placed. Developers who continue to verify before they install will remain one step ahead of attackers who are betting they won’t.
Discover more from Aree Blog
Subscribe now to keep reading and get access to the full archive.


