The Rise of Slopsquatting
Cybercriminals are weaponizing AI hallucinations to infiltrate software supply chains. The emerging attack, dubbed “slopsquatting,” involves registering malicious software packages that correspond precisely to the fictitious libraries suggested by Large Language Models (LLMs). By predicting which non-existent names an AI will generate, attackers trick developers into installing malware directly into production environments.

Capitalizing on AI Hallucinations
The mechanism exploits the inherent tendency of LLMs to invent plausible-sounding code. When a developer prompts a model for a specific tool, the AI may suggest a package that does not actually exist in repositories like npm or PyPI. Threat actors monitor these outputs to identify recurring “hallucination patterns.” Once a pattern is identified, they register the package on a public registry and pack it with malicious code. Because developers trust the AI’s recommendation, they often bypass standard verification, executing the attacker’s code within their local or CI/CD environment.
A Sophisticated Shift from Typosquatting
Slopsquatting represents a significant evolution from traditional typosquatting, where attackers merely registered common misspellings like crossenv instead of cross-env.
Because these names lack the telltale signs of a typo, traditional automated security filters often fail to flag them. This threat is amplified as multiple LLMs frequently hallucinate the identical fictitious names, allowing a single malicious package to compromise a broad audience of developers across different organizations.
Vulnerabilities in AI-Assisted Workflows
The prevalence of slopsquatting is tied to the rapid adoption of "vibe coding" and AI assistants.
Risk levels vary by model architecture. Controlled tests reveal that open-source models are generally more prone to generating hallucinated packages than proprietary versions. However, researchers warn that as attackers focus on AI-assisted workflows, this safety disparity may narrow. Threat actors are increasingly targeting the underlying training data and retrieval-augmented generation (RAG) pipelines of high-performing models.
Securing the Development Lifecycle
Defending against slopsquatting requires moving beyond passive trust in AI outputs. Security teams and developers should adopt the following practices:
- Mandatory Verification: Never install a package suggested by an AI without first searching the official registry (e.g., npm, PyPI) to confirm it is a widely recognized, legitimate library.
- Automated Dependency Scanning: Implement Software Composition Analysis (SCA) tools that automatically cross-reference project dependencies against known, verified databases.
- Monitoring Installations: Security teams should monitor for anomalous package installation requests, particularly those that originate from automated scripts or unusual developer prompts.
- Zero-Trust Dependency Management: Treat AI-generated code snippets as untrusted input. Before committing AI-suggested code to a repository, review all imports and dependencies for potential security risks.
As AI integrates further into software development, the boundary between helpful automation and supply chain vulnerability remains a critical focus. The ability of attackers to weaponize model hallucinations underscores the urgent need for rigorous verification processes in every AI-assisted workflow.