Security researcher Seth Larson coined the term “slopsquatting” to describe a supply chain attack that exploits AI hallucinations: when developers copy package names from AI coding assistants without verifying them, attackers can preemptively register those non-existent package names in PyPI and npm with malicious code. Unlike typosquatting, the package names are not typographical variants — they are exact names that AI models consistently fabricate.
How AI Hallucinations Create a Registerable Attack Surface
Threat actors create malicious packages in popular repositories like PyPI and npm, targeting the specific names that AI coding assistants fabricate. Unlike traditional typosquatting attacks that rely on common typing mistakes, slopsquatting specifically targets the “hallucinations” produced by AI coding assistants, creating a new avenue for supply chain compromises.
AI Models’ Vulnerability Assessment
Recent security research has revealed alarming statistics about AI coding assistants’ reliability. Approximately 20% of AI-generated recommendations reference non-existent packages, with open-source models like CodeLlama, DeepSeek, and WizardCoder showing the highest error rates. Even advanced commercial solutions such as ChatGPT-4 demonstrate a significant 5% error rate in package recommendations.
Statistical Analysis of AI Hallucinations
A comprehensive analysis has identified over 200,000 unique fictitious package names generated by AI models. 43% of these names consistently appear across multiple AI responses to similar queries. The structural breakdown reveals that 38% closely resemble legitimate packages, 13% represent typical typing errors, and 51% are completely fabricated names, creating a vast attack surface for potential exploitation.
Security Mitigation Strategies
To protect against slopsquatting attacks, security experts recommend implementing a multi-layered defense approach:
- Manual verification of all package names before implementation
- Deployment of comprehensive dependency scanners
- Implementation of strict package hash verification protocols
- Reduction of AI model temperature settings to minimize hallucinations
- Isolated testing environments for AI-generated code evaluation
Since 43% of AI-hallucinated package names appear consistently across multiple queries, an attacker only needs to register a static list of high-frequency hallucinations to intercept a large proportion of affected installs. Development teams should add automated package resolution verification — tools like pip-audit, Socket, or Dependabot — to their CI pipelines, and configure pip with --require-hashes to prevent installation of packages that weren’t explicitly pinned in a verified lockfile.
