On this page · 9 sections
Summary. The newest weak point in your dependency tree is a package your AI assistant invented. Researchers at the University of Texas at San Antonio, the University of Oklahoma and Virginia Tech generated 2.23 million code samples across 16 code-generating models and found that 19.7% contained at least one hallucinated package name, spanning 205,474 unique fabricated names (Spracklen et al., USENIX Security 2025, as documented by the Cloud Security Alliance). Open-source models hallucinated at 21.7% on average and commercial models at 5.2%; GPT-4 Turbo was lowest at 3.59%, while some CodeLlama configurations passed 33%. The attack that exploits this is slopsquatting: an attacker registers a hallucinated name on npm or PyPI, and every developer whose model invents that same name pulls the attacker's code. Registering the name costs an attacker $0. The hallucinations also repeat: re-running one prompt ten times, 43% of fabricated names appeared every single time. A 2026 replication on five frontier models, including Claude Haiku 4.5 and GPT-5.4-mini, narrowed the spread to between 4.62% and 6.10% but did not close it. This guide covers what slopsquatting is, the confirmed 2026 incidents, and seven controls that block hallucinated dependencies in your CI pipeline.
What slopsquatting is
The term was coined by Seth Larson, developer-in-residence at the Python Software Foundation, as a play on typosquatting. Typosquatting bets on a human typing expresss instead of express. Slopsquatting removes the typo and bets on the machine instead: a large language model confidently recommends a package that never existed, and an attacker pre-registers that exact name on a public registry before anyone else claims it. The next developer who prompts the same model for the same task receives the same recommendation, runs npm install or pip install, and pulls the attacker's payload.
Package hallucinations are not one uniform mistake. The USENIX Security 2025 study, as summarised by the Cloud Security Alliance, split them into three groups: pure fabrications (51%), which are contextually plausible but entirely invented; conflations (38%), where the model merges two real names, for example combining jscodeshift and react-codemod into react-codeshift; and typo variants (13%), which closely resemble a real package. Conflations are the dangerous ones. A developer who has never used a specific tool has no obvious way to know that react-codeshift is not a real, widely used package, which is exactly what makes the name convincing enough to install.
There is a cross-ecosystem twist as well. The same research found that 8.7% of Python package names hallucinated by models actually exist on npm. A Python developer can install a JavaScript-ecosystem name by mistake, and an attacker can register that name on PyPI purely as a delivery vehicle.
How often models actually hallucinate packages
The headline number, 19.7% of samples containing at least one hallucinated import, is an average across a wide spread of models. The distinction that matters for policy is model class. Commercial, closed models hallucinate far less than open-weight ones, but none reach zero.
| Model or class | Package hallucination rate | Source and notes |
|---|---|---|
| Open-source models (average) | 21.7% | Spracklen et al., USENIX Security 2025 |
| Commercial models (average) | 5.2% | Spracklen et al., USENIX Security 2025 |
| Some CodeLlama configurations | Over 33% | Highest band in the 2025 study |
| GPT-4 Turbo | 3.59% | Lowest measured rate in the 2025 study |
| Five 2026 frontier models | 4.62% to 6.10% | Churilov replication, 2026 |
The 2026 replication is the important update for anyone reassuring themselves that newer models fixed this. An independent researcher re-ran the original methodology on five code-capable models released between October 2025 and March 2026, including Claude Sonnet 4.6, Claude Haiku 4.5, GPT-5.4-mini, Gemini 2.5 Pro and DeepSeek V3.2, across 199,845 paired Python and JavaScript prompts. Overall hallucination rates landed between 4.62% (Claude Haiku 4.5) and 6.10% (GPT-5.4-mini). That is an order-of-magnitude compression of the gap between the best and worst models, and it is still a real attack surface. The same paper identified 127 package names that all five models invented identically. After coordinated disclosure to PyPI Security and Socket.dev, 53 of those names, 41 on PyPI and 12 on npm, remained registrable by an attacker, which is a model-agnostic attack surface no single-model test would ever surface.
Why slopsquatting beats plain typosquatting
Typosquatting is a numbers game against random human error. Slopsquatting is a numbers game against predictable machine error, and predictability is the whole problem. When the USENIX researchers re-ran identical prompts ten times each, 43% of hallucinated package names reappeared on every run and 58% reappeared more than once; only 39% were unique to a single run. That consistency turns a hallucination into a reliable target.
Socket, the supply-chain security vendor credited with popularising the term, put the economics plainly in its reporting: "This consistency makes slopsquatting more viable than one might expect. Attackers don't need to scrape massive prompt logs or brute force potential names. They can simply observe LLM behavior, identify commonly hallucinated names, and register them." The defender has to validate every AI-suggested dependency; the attacker only has to watch which names a popular model keeps inventing and register them first.
Autonomous coding agents make the checkpoint disappear entirely. A human using an assistant still, in theory, reads the suggested code and might notice an unfamiliar import. An agent resolves packages programmatically. As independent researcher Andrew Nesbitt observed in April 2026, agents install dependencies without a human glancing at the name to notice something is off. Worse, in an agentic pipeline the post-install script of a malicious package runs in an environment that usually holds cloud credentials, source-control tokens and model API keys, so a single bad install can reach far past one laptop. This is the same reason we treat prompt handling carefully when hardening AI coding agents against shell injection: the agent's autonomy is the attack surface.
The cultural shift toward accepting AI output with little review, often called vibe coding, lowers the bar further. The implicit assumption is that generated code is roughly correct. A 19.7% package hallucination rate says that assumption is unsafe for dependency management specifically.
Confirmed incidents in 2026
Slopsquatting is not a thought experiment. Several cases are documented.
The clearest is unused-imports on npm. AI models hallucinate this name in place of the legitimate eslint-plugin-unused-imports. As of early February 2026 the malicious package was still live and pulling roughly 233 downloads a week even after npm placed a security hold on it, according to Aikido Security.
Security researcher Bar Lanyado documented a related pattern with huggingface-cli: an organisation copied an AI-recommended install command into public documentation without verifying it, and that apparent endorsement helped the hallucinated name accumulate over 30,000 downloads within three months. Institutionally trusted documentation propagated a name that should never have existed.
The conflation example from the taxonomy showed up in the wild too. Researcher Charlie Eriksen found react-codeshift spreading through 237 repositories via AI-generated agent skills, with downloads driven not by humans copying snippets but by agents executing their own generated output.
One important boundary: not every AI-adjacent supply-chain attack is slopsquatting. The TeamPCP campaign that hit PyPI in March 2026 compromised two widely used packages, the litellm LLM proxy and the telnyx telephony SDK, through credential theft and reuse rather than package hallucination, per Datadog Security Labs. It matters because litellm is itself a dependency in many AI pipelines, so the lesson is that attackers are targeting AI tooling infrastructure through whatever vector works. Slopsquatting is one of several, and your controls should assume more than one.
Seven controls to block hallucinated packages in CI
The defence is not a single scanner. It is a small set of pipeline controls that make an AI-invented dependency fail closed before it reaches production. None of these require you to abandon AI-assisted development; they require you to stop trusting AI-generated import and require statements as verified input.
1. Pin and hash-verify every lockfile
Commit lockfiles to source control and install from them, with hash verification, on every pipeline run. In Python, generate hashes and refuse anything that does not match:
# Compile pinned, hashed requirements
pip-compile --generate-hashes -o requirements.txt requirements.in
# CI install: fail if any hash or version drifts
pip install --require-hashes -r requirements.txt
In Node, install strictly from the lockfile so a resolver cannot silently reach out for a new name:
npm ci # fails if package-lock.json and package.json disagree
Pinning does not stop a hallucinated name from entering the lockfile the first time, but it stops silent substitution afterward and gives you one reviewable file to audit.
2. Gate new dependencies behind human review
The single highest-value control for agentic setups: AI agents with package-management permissions must not install a package that is not already on an allowlist. Any new dependency routes to a human before it can execute. If you cannot build an allowlist yet, disable automated installation in agent environments until you can. The Cloud Security Alliance states the rule directly: agents "must be prohibited from installing packages without human review or an allowlist gate." Treat this as a governance boundary, not a preference, and manage it alongside your other enterprise AI agent governance layers.
3. Verify existence and age in the pipeline
Add a CI step that checks every dependency against the registry before install. Reject names that do not exist, and reject names first published inside a cooldown window. Most malicious packages are caught and removed within days, so a 30-day floor filters a large share of them. A minimal npm check:
#!/usr/bin/env bash
# Fail if a dependency is younger than 30 days or does not exist
COOLDOWN_DAYS=30
now=$(date +%s)
for pkg in $(jq -r '.packages | keys[] | select(. != "")' package-lock.json | sed 's|node_modules/||'); do
created=$(curl -s "https://registry.npmjs.org/${pkg}" | jq -r '.time.created // empty')
[ -z "$created" ] && { echo "MISSING on registry: $pkg"; exit 1; }
age=$(( (now - $(date -d "$created" +%s)) / 86400 ))
[ "$age" -lt "$COOLDOWN_DAYS" ] && { echo "TOO NEW ($age d): $pkg"; exit 1; }
done
The Python equivalent leans on the fact that pip download errors on a name that does not exist:
pip download --no-deps -d /tmp/wheels -r requirements.txt
4. Enforce a version cooldown for agents
Extend the age check to updates, not just first use. New versions should be uninstallable by agents for a window after publication, commonly 24 to 72 hours, so that an agent only ever resolves versions that have survived initial community and automated review. This is cheap to implement as a policy in your dependency proxy or in the CI check above, and it closes the fast-propagation path where an agent commits and pushes a poisoned version before any monitor fires.
5. Scope internal packages to a private registry
Prefix internal packages with an organisation scope, for example @ecorpit/analytics, and configure the package manager to resolve that scope only from your private registry. This defeats dependency-confusion style substitution, where a public package with the same name as your internal one gets pulled in preference. Scoping is a one-time configuration change with a large payoff.
6. Run software composition analysis on AI-generated code
Configure SCA tooling to flag any package registered within the last 30 to 90 days before your first use, and to surface publisher reputation and post-install scripts. Commercial tools including Socket.dev, Snyk and Aikido automate this and integrate into the IDE and CI so the check happens before a dependency is merged, not after an incident. The point is to make verification automatic and low-friction rather than a manual step a busy developer skips. The same discipline that catches silent failures in AI agent CI/CD applies here: if the check is not in the pipeline, it does not happen.
7. Produce an SBOM and lower generation temperature
Generate a Software Bill of Materials for every AI-assisted codebase entering production, as a mandatory CI step. An SBOM gives you traceability when a malicious package is identified later and lets you assess blast radius across every service quickly. Separately, where your tooling exposes it, lower the sampling temperature for code-generation tasks. Industry reporting links higher temperature, which increases output randomness, to higher hallucination rates, so a lower setting is a low-cost reduction in how often a model invents a name in the first place. The broader habit of treating AI framework inputs as untrusted is the same one behind securing AI agent frameworks against remote code execution.
The controls at a glance
| Control | What it stops | Effort to adopt |
|---|---|---|
| Pinned, hashed lockfiles | Silent substitution after first install | Low |
| Allowlist gate for agents | Autonomous install of any new name | Medium |
| Registry existence and age check | Non-existent and brand-new names | Low |
| Version cooldown (24 to 72 hours) | Fast-propagating poisoned updates | Low |
| Private-registry scopes | Dependency-confusion substitution | Low |
| SCA on AI-generated code | Low-reputation and recently registered names | Medium |
| SBOM plus lower temperature | Untraceable blast radius; frequency of hallucination | Medium |
India-specific considerations
For Indian product teams and the global capability centres concentrated in Gurugram, Bengaluru and Hyderabad, two forces meet here. AI-assisted development has been adopted quickly to compress delivery timelines, and the Digital Personal Data Protection Act, 2023 raises the cost of a breach that exposes personal data. A malicious post-install script that exfiltrates a database credential is not only a security incident; under the DPDP Act it can become a reportable personal-data breach with regulatory consequences. Teams building for the Indian market should fold these dependency controls into the same engineering process they use for privacy compliance, rather than running them separately, and budget for it: a single SCA and private-registry setup for a mid-size team is a modest recurring cost, often in the range of a few lakh rupees a year, against a breach that can run far higher. Our DPDP engineering playbook for Indian startups covers where supply-chain integrity fits in a wider compliance program.
FAQ
How eCorpIT can help
eCorpIT is a senior-led engineering organisation in Gurugram that builds and secures software delivery pipelines for teams shipping with AI coding assistants. We design CI/CD workflows aligned with the controls above, from lockfile hashing and registry cooldown checks to private-registry scoping, software composition analysis and SBOM generation, and we help teams set the agent guardrails that keep autonomous tooling from installing unverified dependencies. If your team has adopted AI-assisted development faster than its supply-chain controls, contact us to review your pipeline.
References
- Cloud Security Alliance AI Safety Initiative. "Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks." 19 April 2026.
- Joseph Spracklen et al. "We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs." USENIX Security Symposium, 2025.
- Aleksandr Churilov. "The Range Shrinks, the Threat Remains: Re-evaluating LLM Package Hallucinations on the 2026 Frontier-Model Cohort." 2026.
- Phil Muncaster. "AI Hallucinations Create 'Slopsquatting' Supply Chain Threat." Infosecurity Magazine, 14 April 2025.
- Aikido Security. "Slopsquatting: The AI Package Hallucination Attack Already Happening." 2026.
- Datadog Security Labs. "LiteLLM and Telnyx Compromised on PyPI: Tracing the TeamPCP Supply Chain Campaign." March 2026.
- Andrew Nesbitt. "Package Security Problems for AI Agents." 8 April 2026.
- Snyk. "Package Hallucinations: Impacts and Mitigation." 2026.
- VentureBeat. "Forget typosquatting; slopsquatting is the software supply chain threat created by AI coding tools." 2026.
- Palo Alto Networks Unit 42. "The npm Threat Landscape: Attack Surface and Mitigations." Updated 15 July 2026.
- Endor Labs. "Slopsquatting: When AI Agents Hallucinate Malicious Packages." 2026.
- Cloud Security Alliance. "AI Controls Matrix." 2025.
_Last updated: 18 July 2026._