Slopsquatting in 2026: 7 controls to stop AI-hallucinated packages in CI

How slopsquatting works, how often models hallucinate packages, and seven CI controls to block AI-invented dependencies before they ship.

Read time
14 min
Word count
2.3K
Sections
9
FAQs
8
Share
Glowing security shield over a stream of software package blocks at a developer workstation
Slopsquatting turns AI package hallucinations into a supply-chain attack.
On this page · 9 sections
  1. What slopsquatting is
  2. How often models actually hallucinate packages
  3. Why slopsquatting beats plain typosquatting
  4. Confirmed incidents in 2026
  5. Seven controls to block hallucinated packages in CI
  6. India-specific considerations
  7. FAQ
  8. How eCorpIT can help
  9. References

Summary. The newest weak point in your dependency tree is a package your AI assistant invented. Researchers at the University of Texas at San Antonio, the University of Oklahoma and Virginia Tech generated 2.23 million code samples across 16 code-generating models and found that 19.7% contained at least one hallucinated package name, spanning 205,474 unique fabricated names (Spracklen et al., USENIX Security 2025, as documented by the Cloud Security Alliance). Open-source models hallucinated at 21.7% on average and commercial models at 5.2%; GPT-4 Turbo was lowest at 3.59%, while some CodeLlama configurations passed 33%. The attack that exploits this is slopsquatting: an attacker registers a hallucinated name on npm or PyPI, and every developer whose model invents that same name pulls the attacker's code. Registering the name costs an attacker $0. The hallucinations also repeat: re-running one prompt ten times, 43% of fabricated names appeared every single time. A 2026 replication on five frontier models, including Claude Haiku 4.5 and GPT-5.4-mini, narrowed the spread to between 4.62% and 6.10% but did not close it. This guide covers what slopsquatting is, the confirmed 2026 incidents, and seven controls that block hallucinated dependencies in your CI pipeline.

What slopsquatting is

The term was coined by Seth Larson, developer-in-residence at the Python Software Foundation, as a play on typosquatting. Typosquatting bets on a human typing expresss instead of express. Slopsquatting removes the typo and bets on the machine instead: a large language model confidently recommends a package that never existed, and an attacker pre-registers that exact name on a public registry before anyone else claims it. The next developer who prompts the same model for the same task receives the same recommendation, runs npm install or pip install, and pulls the attacker's payload.

Package hallucinations are not one uniform mistake. The USENIX Security 2025 study, as summarised by the Cloud Security Alliance, split them into three groups: pure fabrications (51%), which are contextually plausible but entirely invented; conflations (38%), where the model merges two real names, for example combining jscodeshift and react-codemod into react-codeshift; and typo variants (13%), which closely resemble a real package. Conflations are the dangerous ones. A developer who has never used a specific tool has no obvious way to know that react-codeshift is not a real, widely used package, which is exactly what makes the name convincing enough to install.

There is a cross-ecosystem twist as well. The same research found that 8.7% of Python package names hallucinated by models actually exist on npm. A Python developer can install a JavaScript-ecosystem name by mistake, and an attacker can register that name on PyPI purely as a delivery vehicle.

How often models actually hallucinate packages

The headline number, 19.7% of samples containing at least one hallucinated import, is an average across a wide spread of models. The distinction that matters for policy is model class. Commercial, closed models hallucinate far less than open-weight ones, but none reach zero.

Model or class Package hallucination rate Source and notes
Open-source models (average) 21.7% Spracklen et al., USENIX Security 2025
Commercial models (average) 5.2% Spracklen et al., USENIX Security 2025
Some CodeLlama configurations Over 33% Highest band in the 2025 study
GPT-4 Turbo 3.59% Lowest measured rate in the 2025 study
Five 2026 frontier models 4.62% to 6.10% Churilov replication, 2026

The 2026 replication is the important update for anyone reassuring themselves that newer models fixed this. An independent researcher re-ran the original methodology on five code-capable models released between October 2025 and March 2026, including Claude Sonnet 4.6, Claude Haiku 4.5, GPT-5.4-mini, Gemini 2.5 Pro and DeepSeek V3.2, across 199,845 paired Python and JavaScript prompts. Overall hallucination rates landed between 4.62% (Claude Haiku 4.5) and 6.10% (GPT-5.4-mini). That is an order-of-magnitude compression of the gap between the best and worst models, and it is still a real attack surface. The same paper identified 127 package names that all five models invented identically. After coordinated disclosure to PyPI Security and Socket.dev, 53 of those names, 41 on PyPI and 12 on npm, remained registrable by an attacker, which is a model-agnostic attack surface no single-model test would ever surface.

Why slopsquatting beats plain typosquatting

Typosquatting is a numbers game against random human error. Slopsquatting is a numbers game against predictable machine error, and predictability is the whole problem. When the USENIX researchers re-ran identical prompts ten times each, 43% of hallucinated package names reappeared on every run and 58% reappeared more than once; only 39% were unique to a single run. That consistency turns a hallucination into a reliable target.

Socket, the supply-chain security vendor credited with popularising the term, put the economics plainly in its reporting: "This consistency makes slopsquatting more viable than one might expect. Attackers don't need to scrape massive prompt logs or brute force potential names. They can simply observe LLM behavior, identify commonly hallucinated names, and register them." The defender has to validate every AI-suggested dependency; the attacker only has to watch which names a popular model keeps inventing and register them first.

Autonomous coding agents make the checkpoint disappear entirely. A human using an assistant still, in theory, reads the suggested code and might notice an unfamiliar import. An agent resolves packages programmatically. As independent researcher Andrew Nesbitt observed in April 2026, agents install dependencies without a human glancing at the name to notice something is off. Worse, in an agentic pipeline the post-install script of a malicious package runs in an environment that usually holds cloud credentials, source-control tokens and model API keys, so a single bad install can reach far past one laptop. This is the same reason we treat prompt handling carefully when hardening AI coding agents against shell injection: the agent's autonomy is the attack surface.

The cultural shift toward accepting AI output with little review, often called vibe coding, lowers the bar further. The implicit assumption is that generated code is roughly correct. A 19.7% package hallucination rate says that assumption is unsafe for dependency management specifically.

Confirmed incidents in 2026

Slopsquatting is not a thought experiment. Several cases are documented.

The clearest is unused-imports on npm. AI models hallucinate this name in place of the legitimate eslint-plugin-unused-imports. As of early February 2026 the malicious package was still live and pulling roughly 233 downloads a week even after npm placed a security hold on it, according to Aikido Security.

Security researcher Bar Lanyado documented a related pattern with huggingface-cli: an organisation copied an AI-recommended install command into public documentation without verifying it, and that apparent endorsement helped the hallucinated name accumulate over 30,000 downloads within three months. Institutionally trusted documentation propagated a name that should never have existed.

The conflation example from the taxonomy showed up in the wild too. Researcher Charlie Eriksen found react-codeshift spreading through 237 repositories via AI-generated agent skills, with downloads driven not by humans copying snippets but by agents executing their own generated output.

One important boundary: not every AI-adjacent supply-chain attack is slopsquatting. The TeamPCP campaign that hit PyPI in March 2026 compromised two widely used packages, the litellm LLM proxy and the telnyx telephony SDK, through credential theft and reuse rather than package hallucination, per Datadog Security Labs. It matters because litellm is itself a dependency in many AI pipelines, so the lesson is that attackers are targeting AI tooling infrastructure through whatever vector works. Slopsquatting is one of several, and your controls should assume more than one.

Seven controls to block hallucinated packages in CI

The defence is not a single scanner. It is a small set of pipeline controls that make an AI-invented dependency fail closed before it reaches production. None of these require you to abandon AI-assisted development; they require you to stop trusting AI-generated import and require statements as verified input.

1. Pin and hash-verify every lockfile

Commit lockfiles to source control and install from them, with hash verification, on every pipeline run. In Python, generate hashes and refuse anything that does not match:


            # Compile pinned, hashed requirements
pip-compile --generate-hashes -o requirements.txt requirements.in
# CI install: fail if any hash or version drifts
pip install --require-hashes -r requirements.txt
          

In Node, install strictly from the lockfile so a resolver cannot silently reach out for a new name:


            npm ci   # fails if package-lock.json and package.json disagree
          

Pinning does not stop a hallucinated name from entering the lockfile the first time, but it stops silent substitution afterward and gives you one reviewable file to audit.

2. Gate new dependencies behind human review

The single highest-value control for agentic setups: AI agents with package-management permissions must not install a package that is not already on an allowlist. Any new dependency routes to a human before it can execute. If you cannot build an allowlist yet, disable automated installation in agent environments until you can. The Cloud Security Alliance states the rule directly: agents "must be prohibited from installing packages without human review or an allowlist gate." Treat this as a governance boundary, not a preference, and manage it alongside your other enterprise AI agent governance layers.

3. Verify existence and age in the pipeline

Add a CI step that checks every dependency against the registry before install. Reject names that do not exist, and reject names first published inside a cooldown window. Most malicious packages are caught and removed within days, so a 30-day floor filters a large share of them. A minimal npm check:


            #!/usr/bin/env bash
# Fail if a dependency is younger than 30 days or does not exist
COOLDOWN_DAYS=30
now=$(date +%s)
for pkg in $(jq -r '.packages | keys[] | select(. != "")' package-lock.json | sed 's|node_modules/||'); do
  created=$(curl -s "https://registry.npmjs.org/${pkg}" | jq -r '.time.created // empty')
  [ -z "$created" ] && { echo "MISSING on registry: $pkg"; exit 1; }
  age=$(( (now - $(date -d "$created" +%s)) / 86400 ))
  [ "$age" -lt "$COOLDOWN_DAYS" ] && { echo "TOO NEW ($age d): $pkg"; exit 1; }
done
          

The Python equivalent leans on the fact that pip download errors on a name that does not exist:


            pip download --no-deps -d /tmp/wheels -r requirements.txt
          

4. Enforce a version cooldown for agents

Extend the age check to updates, not just first use. New versions should be uninstallable by agents for a window after publication, commonly 24 to 72 hours, so that an agent only ever resolves versions that have survived initial community and automated review. This is cheap to implement as a policy in your dependency proxy or in the CI check above, and it closes the fast-propagation path where an agent commits and pushes a poisoned version before any monitor fires.

5. Scope internal packages to a private registry

Prefix internal packages with an organisation scope, for example @ecorpit/analytics, and configure the package manager to resolve that scope only from your private registry. This defeats dependency-confusion style substitution, where a public package with the same name as your internal one gets pulled in preference. Scoping is a one-time configuration change with a large payoff.

6. Run software composition analysis on AI-generated code

Configure SCA tooling to flag any package registered within the last 30 to 90 days before your first use, and to surface publisher reputation and post-install scripts. Commercial tools including Socket.dev, Snyk and Aikido automate this and integrate into the IDE and CI so the check happens before a dependency is merged, not after an incident. The point is to make verification automatic and low-friction rather than a manual step a busy developer skips. The same discipline that catches silent failures in AI agent CI/CD applies here: if the check is not in the pipeline, it does not happen.

7. Produce an SBOM and lower generation temperature

Generate a Software Bill of Materials for every AI-assisted codebase entering production, as a mandatory CI step. An SBOM gives you traceability when a malicious package is identified later and lets you assess blast radius across every service quickly. Separately, where your tooling exposes it, lower the sampling temperature for code-generation tasks. Industry reporting links higher temperature, which increases output randomness, to higher hallucination rates, so a lower setting is a low-cost reduction in how often a model invents a name in the first place. The broader habit of treating AI framework inputs as untrusted is the same one behind securing AI agent frameworks against remote code execution.

The controls at a glance

Control What it stops Effort to adopt
Pinned, hashed lockfiles Silent substitution after first install Low
Allowlist gate for agents Autonomous install of any new name Medium
Registry existence and age check Non-existent and brand-new names Low
Version cooldown (24 to 72 hours) Fast-propagating poisoned updates Low
Private-registry scopes Dependency-confusion substitution Low
SCA on AI-generated code Low-reputation and recently registered names Medium
SBOM plus lower temperature Untraceable blast radius; frequency of hallucination Medium

India-specific considerations

For Indian product teams and the global capability centres concentrated in Gurugram, Bengaluru and Hyderabad, two forces meet here. AI-assisted development has been adopted quickly to compress delivery timelines, and the Digital Personal Data Protection Act, 2023 raises the cost of a breach that exposes personal data. A malicious post-install script that exfiltrates a database credential is not only a security incident; under the DPDP Act it can become a reportable personal-data breach with regulatory consequences. Teams building for the Indian market should fold these dependency controls into the same engineering process they use for privacy compliance, rather than running them separately, and budget for it: a single SCA and private-registry setup for a mid-size team is a modest recurring cost, often in the range of a few lakh rupees a year, against a breach that can run far higher. Our DPDP engineering playbook for Indian startups covers where supply-chain integrity fits in a wider compliance program.

FAQ

How eCorpIT can help

eCorpIT is a senior-led engineering organisation in Gurugram that builds and secures software delivery pipelines for teams shipping with AI coding assistants. We design CI/CD workflows aligned with the controls above, from lockfile hashing and registry cooldown checks to private-registry scoping, software composition analysis and SBOM generation, and we help teams set the agent guardrails that keep autonomous tooling from installing unverified dependencies. If your team has adopted AI-assisted development faster than its supply-chain controls, contact us to review your pipeline.

References

  1. Cloud Security Alliance AI Safety Initiative. "Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks." 19 April 2026.
  1. Joseph Spracklen et al. "We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs." USENIX Security Symposium, 2025.
  1. Aleksandr Churilov. "The Range Shrinks, the Threat Remains: Re-evaluating LLM Package Hallucinations on the 2026 Frontier-Model Cohort." 2026.
  1. Phil Muncaster. "AI Hallucinations Create 'Slopsquatting' Supply Chain Threat." Infosecurity Magazine, 14 April 2025.
  1. Aikido Security. "Slopsquatting: The AI Package Hallucination Attack Already Happening." 2026.
  1. Datadog Security Labs. "LiteLLM and Telnyx Compromised on PyPI: Tracing the TeamPCP Supply Chain Campaign." March 2026.
  1. Andrew Nesbitt. "Package Security Problems for AI Agents." 8 April 2026.
  1. Snyk. "Package Hallucinations: Impacts and Mitigation." 2026.
  1. VentureBeat. "Forget typosquatting; slopsquatting is the software supply chain threat created by AI coding tools." 2026.
  1. Palo Alto Networks Unit 42. "The npm Threat Landscape: Attack Surface and Mitigations." Updated 15 July 2026.
  1. Endor Labs. "Slopsquatting: When AI Agents Hallucinate Malicious Packages." 2026.
  1. Cloud Security Alliance. "AI Controls Matrix." 2025.

_Last updated: 18 July 2026._

Frequently asked

Quick answers.

01 What is slopsquatting?
Slopsquatting is a software supply-chain attack that exploits AI package hallucinations. A language model recommends a package name that does not exist, an attacker registers that exact name on npm or PyPI, and developers whose models suggest the same name install the attacker's code. Seth Larson of the Python Software Foundation coined the term.
02 How common are AI package hallucinations?
In the USENIX Security 2025 study of 2.23 million samples across 16 models, 19.7% contained at least one hallucinated package name, totalling 205,474 unique fabricated names. Open-source models averaged 21.7% and commercial models 5.2%. A 2026 replication on five frontier models measured a narrower 4.62% to 6.10%, so the risk shrank but did not disappear.
03 Why is slopsquatting worse than typosquatting?
Typosquatting relies on random human typos. Slopsquatting relies on predictable machine errors. When researchers re-ran prompts ten times, 43% of hallucinated names recurred on every run, so an attacker can watch a popular model, learn which names it invents, and register them with high confidence that future developers will receive the same suggestion.
04 Do autonomous coding agents increase the risk?
Yes. A human might notice an unfamiliar import, but an agent resolves and installs packages programmatically with no such checkpoint. A malicious post-install script then runs in an environment that often holds cloud credentials, source-control tokens and API keys, so one bad install by an agent can compromise an entire pipeline rather than a single machine.
05 Has slopsquatting actually been exploited?
Yes. The npm package unused-imports, hallucinated in place of eslint-plugin-unused-imports, still recorded about 233 weekly downloads in early February 2026 despite a security hold. The huggingface-cli name reached over 30,000 downloads in three months, and react-codeshift spread through 237 repositories via AI-generated agent skills.
06 Which single control helps most?
For teams using agents, the allowlist gate is highest value: no agent installs a package that is not pre-approved, and any new dependency routes to a human first. For teams still driven by human developers, a CI check that rejects non-existent names and anything published inside a 30-day cooldown blocks the largest share of malicious packages.
07 Does lowering model temperature reduce hallucinations?
Industry reporting links higher temperature, which increases output randomness, to higher package hallucination rates, so lowering it for code-generation tasks is a cheap partial mitigation. It reduces frequency rather than eliminating the problem, so it should sit alongside pipeline controls such as lockfile pinning, registry checks and software composition analysis, never replace them.
08 What is an SBOM and why does it matter here?
A Software Bill of Materials is a machine-readable inventory of every component in a build. For AI-assisted code it provides traceability: when a malicious package is later identified, an SBOM lets you find every service that pulled it and assess blast radius quickly. The Cloud Security Alliance recommends generating one for all AI-generated codebases entering production.

About the author

Manu Shukla

Founder & Director

Founder of eCorpIT. Hands-on engineer leading senior-only delivery for AI apps, custom software, and cloud systems for global clients.

Subscribe

One engineering note a week. No fluff, no spam.

Senior-architect playbooks on AI agents, mobile apps, cloud, security, data, and marketing — delivered every Wednesday.

Past the reading

Read enough. Let's build something.

A senior architect responds in 24 working hours with scope, indicative cost, and a timeline. NDA before any technical conversation.