The Discovery

Bar Lanyado was working as a security researcher at Vulcan Cyber when he first noticed something odd about how AI code assistants answered programming questions. When asked for help with tasks that required third-party libraries, models like ChatGPT would confidently recommend packages that didn't exist. The recommendations looked plausible - the names followed real naming conventions, they sounded like they'd fit the described use case - but searching for them on PyPI, npm, or GitHub came up empty.

This wasn't a rare glitch. Lanyado found that for nearly 30% of his coding questions, the model recommended at least one package that didn't exist on any real repository. The hallucinations weren't random gibberish, either. They were linguistically sensible names that a developer might plausibly have created. A model asked about interacting with Hugging Face's CLI, for instance, would recommend installing a package called huggingface-cli. The real tool installs via pip install -U "huggingface_hub[cli]", but the shorter, more intuitive name is what the model consistently generated.

After moving to Lasso Security, Lanyado expanded the research. He tested four different models - GPT-3.5-Turbo, GPT-4, Gemini Pro (formerly Bard), and Coral from Cohere - asking each the same set of questions 100 times. The results showed that the hallucinations were highly repetitive. The same nonexistent package names kept appearing across multiple runs. Different developers asking different questions about the same topic would get the same fabricated package recommendations. The hallucinations were consistent enough to be predictable, which meant they were consistent enough to be exploited.

The Attack Mechanic

The attack itself is simple. An attacker asks an AI code assistant a series of programming questions and collects the hallucinated package names from the responses. They then register real packages under those names on public repositories like PyPI (for Python) or npm (for JavaScript). Inside those packages, they embed malicious code - data exfiltration scripts, backdoors, credential stealers, whatever the attacker wants to distribute.

Then they wait. The next developer who asks an AI assistant a similar question will get the same hallucinated recommendation. If that developer installs the package without checking whether it's legitimate, the malicious code runs on their system.

To prove this wasn't theoretical, Lanyado took one of the hallucinated package names he'd encountered - huggingface-cli - and uploaded an empty package with that name to the Hugging Face repository. Within a short period, the package accumulated real downloads. Developers (or automated systems acting on AI recommendations) were installing it based on nothing more than an LLM's fabricated suggestion.

The attack sits at the intersection of two trends: developers' growing reliance on AI code assistants, and the longstanding problem of supply-chain attacks on open-source package ecosystems. Traditional supply-chain attacks often rely on typosquatting - registering packages with names close to popular ones, hoping developers will make a typo. Slopsquatting is different. Instead of betting on human typing errors, it bets on AI hallucinations, which are far more consistent and predictable than individual typos.

Naming the Problem

Seth Michael Larson, the security developer-in-residence at the Python Software Foundation, coined the term "slopsquatting" to describe this class of attack. The name combines "slop" - a common pejorative for AI-generated output - with "squatting," the long-established practice of registering domains or package names someone else is likely to seek out. Larson's framing helped crystallize the issue in the security community and gave researchers a shared term for what had been described in various ways across different reports.

The term stuck quickly. By 2025, "slopsquatting" appeared in security advisories, vendor reports, and academic papers. It also resonated because it captured something uncomfortable about the AI code assistance model: even when developers trust the output, the models are generating text based on statistical patterns, not verified databases of real packages. A model that frequently hallucinates flask-restful-plus when asked about Flask REST API extensions has no awareness that the package doesn't exist. It just knows the name fits the statistical distribution of likely token sequences for that context.

Academic Confirmation

A joint research team from the University of Texas at San Antonio, University of Oklahoma, and Virginia Tech conducted what became the first large-scale systematic analysis of package hallucinations in LLM-generated code. Their paper examined the behavior of multiple AI models across diverse coding tasks and programming languages.

The numbers were striking. Across all models tested, the researchers observed over 205,000 unique hallucinated package names. At higher temperature settings (the parameter that controls how much randomness a model introduces into its outputs), some models generated more hallucinated packages than real ones. The hallucinations appeared across Python, JavaScript, Go, .NET, and other ecosystems, with Go and .NET producing particularly high rates of fabricated packages.

Lanyado's earlier finding that 215 hallucinated packages were shared across all four models he tested was also significant. These cross-model hallucinations are the highest-value targets for attackers, because a malicious package registered under one of those names would be recommended by multiple different AI tools. A developer using ChatGPT for one project and Gemini for another could encounter the same fake package both times.

The Vibe Coding Amplifier

The risk escalated as AI-assisted development evolved from code completion into full agent-based workflows. Early AI coding tools suggested code snippets that developers would review before running. Newer tools - AI "agents" like Claude Code CLI, OpenAI Codex CLI, and Cursor AI - can install packages automatically as part of completing a task. When an AI agent decides it needs a particular library and runs pip install or npm install on its own, the developer may never see the package name before it's already on their system.

This is where the "vibe coding" trend compounds the problem. Vibe coding - the practice of using AI tools to generate entire applications with minimal human review of the generated code - means developers are less likely to notice when an AI installs a package they've never heard of. The whole point is to move fast and trust the tool. That trust is exactly what slopsquatting exploits.

Trend Micro's research confirmed that even advanced coding agents with real-time package validation can still hallucinate packages. Testing Cursor AI, they found it occasionally suggested modules like graphitorm and morpher - plausible-sounding names that don't correspond to real packages. Even agents with MCP-backed validation (Model Context Protocol, which allows the agent to query external tools to verify facts) couldn't catch every case.

The Feedback Loop

Aikido security researcher Charlie Eriksen discovered an additional wrinkle: hallucinated packages can spread through AI infrastructure without any attacker involvement at all. He found AI agents in production environments attempting to install hallucinated package names that nobody had registered. The hallucination propagated from one model's output into another system's input, creating a chain of automated actions based on fabricated information.

There's also a search engine amplification problem. As AI-generated content floods the web, hallucinated package names start appearing in blog posts, tutorials, and forum answers written or summarized by AI. When a developer searches for one of these packages, they may encounter Google AI Overview summaries praising the nonexistent package as "useful, stable, well-maintained" - because the search AI is drawing on the same AI-generated corpus that created the hallucination in the first place. Feross Aboukhadijeh, founder of Socket, pointed to an incident where Google's AI Overview confidently recommended a malicious npm package @async-mutex/mutex that was typosquatting the legitimate async-mutex.

The Defense Challenge

Defending against slopsquatting is difficult because it attacks a trust point that most development workflows don't audit. Traditional package security focuses on known vulnerabilities in existing packages, not on whether a package should exist at all. Developers are trained to update dependencies and scan for CVEs, not to question whether the package their AI assistant recommended is real.

The academic researchers recommended that LLM creators implement package validation layers - checking recommended package names against real registries before including them in outputs. Some AI coding tools have started doing this, but coverage is incomplete and edge cases remain.

For individual developers, the standard advice is unglamorous: verify package names before installing them. Check that the package exists on the relevant registry, has a reasonable download count, has source code you can inspect, and has a publication history that predates the AI era. Software Bills of Materials (SBOMs) can help organizations track what's in their dependency trees and flag unfamiliar entries.

Sandboxed installation environments provide another layer of protection. Running AI-suggested package installations in isolated environments before deploying to production systems limits the damage if a malicious package gets through.

But the fundamental tension remains. Slopsquatting works because AI code assistants are designed to be helpful and fast, and developers are under pressure to produce code quickly. The very qualities that make AI coding tools attractive - speed, confidence, reduced friction - are the same qualities that make slopsquatting effective. An AI assistant that pauses to say "I'm not sure if this package exists" would be slower and less confident. An AI assistant that confidently recommends a fabricated, potentially malicious package is faster and more dangerous.