Policy & RegulationJul 12, 2026 07:27 UTC

Slopsquatting: The Fake Packages Created by AI

A new supply chain attack method called 'slopsquatting' has emerged, exploiting hallucinations generated by AI coding assistants. When AI recommends non-existent package names, attackers register malware under those names, allowing malicious code to be incorporated into projects without developers' awareness. This threat cannot be detected by conventional typosquatting defenses, rendering existing registry protections ineffective.

Slopsquatting: The Fake Packages Created by AI

The widespread adoption of AI coding assistants is bringing new supply chain risks to software development environments. A new attack method called 'slopsquatting' has emerged, leveraging non-existent package names generated by AI to inject malware into development environments without developers' knowledge.

The term 'slopsquatting' is a portmanteau combining 'AI slop' (poor-quality content generated by AI) and 'typosquatting.' Typosquatting is a classic technique where attackers register domains or names with slight misspellings of popular packages to trick users into making input errors—a practice with decades of history. Package registries have implemented countermeasures against this attack method. However, slopsquatting differs because it involves AI itself generating 'plausible-sounding non-existent package names,' rendering conventional defenses ineffective.

The mechanism works as follows: When developers request code generation from AI assistants, the AI sometimes recommends open-source packages that do not actually exist. This phenomenon is called 'hallucination' in LLMs (Large Language Models). At this stage, it remains harmless, but if attackers identify these package names in advance and register packages with the same names containing malware, malicious code can be incorporated into developers' projects without their awareness. The fact that AI tends to repeatedly recommend specific fictional package names allows attackers to conduct advance research on which names to target, further amplifying the problem.

For example, typosquatted names like 'crossenv' (mimicking the popular 'cross-env') would be detected by registry protection mechanisms. Conversely, AI-generated names like 'cross-env-extended' or 'mpn install cross-env file' are not recognized as threats by existing defense systems. These blind spots create the foundation for large-scale breaches.

Data demonstrating the persistence and severity of hallucinations has also been reported. A research team analyzing 31,267 vulnerabilities across 14,675 packages spanning 10 programming languages found that vulnerability reports are increasing at an annual rate of 98%—far exceeding the annual growth rate of open-source packages themselves (25%). Additionally, the average duration of vulnerabilities has extended by 85%, indicating longer periods between discovery and remediation. This suggests that malicious packages could remain undetected in production environments for months or years, with the risk of damage spreading silently.

The significance of this issue lies in the fact that AI tools' 'convenience' and 'risks' are two sides of the same coin. While AI-assisted coding enhances productivity, it simultaneously creates structural vulnerabilities when developers blindly trust the output, opening entry points for external threats. LLM hallucinations have long been known as a risk of treating false information as fact, but slopsquatting exemplifies how this characteristic can directly translate into security vulnerabilities.

As a practical response, developers should adopt the habit of verifying package names recommended by AI through package registries rather than adopting them directly. At the organizational level, implementing automated dependency scanning tools and establishing package review processes before adoption represent effective countermeasures. As AI coding tools become increasingly embedded in development environments, whether vigilance against such attacks becomes integrated into standard software development security practices will be a key point to watch.

#Cybersecurity#LLM#Hallucination#SupplyChainAttack#AIRisk#OpenSource#GenerativeAI
AI issue Staff

This article is an original work independently written and edited by the AI issue editorial team based on factual reporting. © AI issue. Unauthorized reproduction, redistribution, or use for AI training is prohibited.

Comments

Log in to comment