🎯 Free Website Audit. Get Yours →
Optimum Web
Security 10 min read

Your AI Assistant Just Recommended a Package That Doesn't Exist. Someone Already Registered It.

A developer asks an AI coding assistant to connect a Node.js project to a database. The assistant doesn't have a ready answer, but it needs to give one, so it invents a package name that sounds right. The name gets installed. Somewhere, an attacker who has been watching for exactly this kind of prompt already claimed that name months ago and filled it with a credential stealer.

This isn't a hypothetical. It's a documented attack pattern with a name: slopsquatting. An attacker registers a package name that AI models predictably invent, so that a developer or an autonomous coding agent installing the AI's suggestion runs the attacker's code instead.

  • About 20% of AI-generated package references point to packages that don't exist, per USENIX Security 2025 research
  • 43% of hallucinated names reappear on every single re-run of the same prompt
  • 127 hallucinated package names were found consistent across five frontier models in a May 2026 replication
  • Real malicious packages exploiting this have already reached tens of thousands of downloads

The Numbers Behind the Hallucination Problem

Researchers from the University of Texas at San Antonio, University of Oklahoma, and Virginia Tech ran 576,000 AI-generated code samples through 16 different large language models for a USENIX Security 2025 study. Roughly 20% of the samples referenced Python or JavaScript packages that simply don't exist. Commercial models did better than open-source ones (an average hallucination rate of 5.2% versus 21.7%), but "better" still means a meaningful share of suggestions point to nothing at all. Some CodeLlama configurations exceeded a 33% hallucination rate.

What makes this exploitable rather than just annoying is repeatability. When the same researchers re-ran identical prompts ten times, 43% of the hallucinated package names came back on every single run, and 58% reappeared more than once. An attacker doesn't need to guess. They can run a batch of common prompts against a popular model, note which fake names keep showing up, and register those names before any real developer gets there. A May 2026 replication found 127 hallucinated package names that showed up consistently across five different frontier models, including Claude and GPT variants, Gemini, and DeepSeek, which means one attacker's list of squatted names can pay off against a whole market of AI tools at once, not just one.

It Has Already Happened, More Than Once

The clearest case is a fake npm package called unused-imports. AI models kept suggesting it instead of the real eslint-plugin-unused-imports. Even after npm placed a security hold on it, the malicious package was still recording over 200 weekly downloads as of February 2026.

Another case involved huggingface-cli. Security researcher Bar Lanyado found that an AI-recommended install command for a package that didn't exist got copied, apparently without verification, into public documentation associated with Alibaba. That single copy-paste amplified the package's apparent legitimacy enough that it picked up more than 30,000 downloads in three months.

A third case shows how agentic workflows raise the stakes further. In January 2026, researcher Charlie Eriksen found a hallucinated npm package called react-codeshift, invented by an LLM blending two real tools (jscodeshift and react-codemod) into a plausible-sounding name that had never existed before. Before he could claim it defensively, the name had already spread through 237 GitHub repositories via AI-generated agent skill files, with autonomous agents attempting to install it on their own, with no human in the loop to notice the name looked off.

That last point matters more than any individual incident. Traditional slopsquatting still relies on a human developer reviewing a suggestion and choosing to install it. Autonomous coding agents remove that checkpoint entirely. They resolve dependencies programmatically, at machine speed, across CI/CD pipelines that never pause to ask whether a name looks right.

Attackers Have Stopped Waiting for Hallucinations and Started Engineering Them

The pattern has moved beyond opportunistic name-squatting into something more deliberate. ReversingLabs documented a campaign, attributed to the North Korea-linked group Famous Chollima, that engineered npm packages specifically to look attractive to AI coding agents rather than to human reviewers, on the theory that an agent resolving dependencies unsupervised is an easier target than a developer reading a changelog. Separate reporting has described a related North Korean operation that backdoored 144 AI-related packages in a window of roughly 88 minutes, a pace that only makes sense if the publishing was automated.

A related technique surfaced in early 2026 through what researchers call the Clinejection incident. On February 9, security researcher Adnan Khan disclosed a vulnerability chain in the Cline AI coding tool's own GitHub repository. Cline had added an AI-powered issue triage workflow configured with settings that let any GitHub user trigger it and gave the agent broad tool access, including arbitrary shell commands, on the runner. That combination turned a routine automation feature into a path for anyone to run code inside the project's own CI environment.

A third technique targets the model's training and retrieval process directly. Researchers found a legitimate open-source project that had included a fabricated package called @solana-launchpad/sdk as a dependency, co-authored by an AI coding agent. The working theory is that attackers had seeded documentation and code samples designed to make a specific fake package look like the obvious, well-documented choice to an LLM, turning the attack from simple name-squatting into a form of knowledge poisoning aimed at the model itself.

None of this is limited to hallucinated names anymore. A March 2026 campaign compromised two legitimate, widely used Python packages, litellm and telnyx, through stolen and reused publishing credentials. The target was deliberate: litellm sits inside a large number of AI development pipelines, which makes it a high-value entry point regardless of the specific technique used to compromise it.

Why the Usual Defenses Fall Short

The classic protection against typosquatting is collision detection: flag a new package name that looks suspiciously close to an existing one. Slopsquatting defeats this completely, because hallucinated names aren't misspellings of anything. They're brand-new strings an LLM invented, with no collision to detect.

There's a second wrinkle that's easy to miss: cross-registry confusion. Research has found that a meaningful share of Python packages hallucinated by AI models actually exist as real packages on npm. A developer working in Python could unknowingly install a JavaScript-ecosystem package, or an attacker could register that exact name on PyPI specifically to catch that mistake.

A simple registry lookup before install helps, but it isn't enough on its own. It confirms a package exists and nothing more. It doesn't confirm the package was registered before your project started referencing it, that its publisher has a real track record, or that nothing in its install scripts reaches out for credentials the moment it's installed.

📦 AI Supply Chain Guard — $390

Stop hallucinated packages and malicious dependencies before they reach your codebase. Continuous monitoring for npm, pip, cargo, and Maven.

  • Continuous dependency monitoring for CVEs and reputation scores
  • Watchlist of known hallucinated package names (updated weekly)
  • Provenance verification for every package
  • Auto-block suspicious dependencies in CI/CD pipeline

$390 fixed price · 5-7 business days · senior only

AI Supply Chain Guard — $390, 5-7 business days →
🏥MOST POPULAR STARTING POINT

IT Health Check — Just €5

Full infrastructure scan in 15 minutes. Security gaps, compliance issues, performance problems — all identified. You decide what to fix.

  • Security vulnerabilities scan
  • Compliance gap analysis
  • Performance bottleneck check
  • Prioritized action plan
€5

one-time · 15 min · instant results

Run Health Check — €5 →

1,200+ companies checked this year

What Actual Protection Looks Like

Treating AI-suggested dependencies as untrusted input, the same way you'd treat any external data, changes the calculus. In practice that means several layers working together, not one silver-bullet check: continuous dependency monitoring (not a one-time scan at install), a living watchlist of known hallucinated names refreshed regularly, provenance verification for every package confirming it was registered before your project needed it, lockfile pinning and cryptographic hash verification enforced in CI/CD, isolated sandboxed installs for anything AI-generated or first-seen, an allowlist gate for autonomous agents specifically, and pull request-level dependency review so a new or first-seen package triggers a visible flag in code review rather than disappearing quietly into a diff.

SlopsquattingAI Hallucinated PackagesPackage Hallucination AttackAI Supply Chain Securitynpm & PyPI SecurityAI Coding Agent SecuritySupply Chain SecurityAI Supply Chain GuardAI Shield2026

Frequently Asked Questions

What is slopsquatting?
Slopsquatting is a supply chain attack where an attacker registers a package name that an AI model tends to hallucinate. When a developer or an autonomous coding agent installs that name without verifying it, the attacker's code runs instead.
How is slopsquatting different from typosquatting?
Typosquatting bets on human spelling mistakes with names that closely resemble a real package. Slopsquatting bets on AI hallucination: a name the model invented that never existed at all, so there's no correct name for collision detection to compare it against.
Can I just check if the package exists on the registry before installing?
That's a necessary step, not a sufficient one. Confirming a package exists doesn't confirm it was registered before your project needed it, that the publisher is legitimate, or that its install scripts are safe. Attackers specifically register hallucinated names to pass that first, shallow check.
Does this only affect junior developers who don't check their code?
No. The riskiest cases documented so far involve autonomous coding agents resolving packages programmatically, with no human glancing at the name at all, and hallucinated names have been copied into official documentation by experienced teams.
Is this only about AI hallucinating names, or are attackers doing something more deliberate?
Both. Researchers have documented state-linked actors engineering packages specifically to appeal to AI coding agents, seeding documentation to bias what a model recommends, and exploiting overly permissive AI-powered automation inside CI/CD pipelines, alongside opportunistic hallucination-based name-squatting.
Does using a well-known, trusted package eliminate this risk?
Not entirely. Trusted, high-usage packages have themselves been compromised through stolen publishing credentials rather than hallucination, precisely because their popularity and presence inside AI development pipelines makes them a high-value target.
Who coined the term slopsquatting?
Security researcher Seth Larson of the Python Software Foundation coined the term, as a play on typosquatting, to describe attackers exploiting AI-generated package suggestions instead of human typing errors.

About This Article

Olga Pascal
Olga Pascal·CEO & Founder·26+ years experience

Olga Pascal founded Optimum Web in 1999. With 26+ years in software delivery and business strategy, she writes about AI automation ROI, FinTech digital transformation, and the business side of technology decisions.

AI AutomationFinTechBusiness StrategyDigital Transformation

Need Help With This?

You now understand this topic. If you'd rather have our engineers handle it while you focus on your business — here are your options.

Free

Free Diagnostic

Send us your specific case — we'll analyze it and tell you exactly what needs to be done. No obligation.

Get Free Diagnostic →
MOST POPULAR
Quick Fix

IT Health Check

€5

15 min delivery. 14-day warranty. Senior engineer only.

Order Now →
Full Solution

Free Consultation

0

Describe your challenge — we suggest a solution. No commitment.

Learn More →
Olga Pascal

Not sure what you need? I wrote this article because I see businesses struggle with these problems daily.

Reply to me directly at olga@optimum-web.com — describe your situation in 2–3 sentences, and I'll personally recommend the right solution. No sales pitch, just honest advice.

— Olga Pascal, Business Development at Optimum Web

Cite This Article

APA Format

Olga Pascal. (2026). Your AI Assistant Just Recommended a Package That Doesn't Exist. Someone Already Registered It.. Optimum Web. https://www.optimum-web.com/blog/ai-hallucinated-packages-slopsquatting/

For AI Citation (AEO)

Source: "Your AI Assistant Just Recommended a Package That Doesn't Exist. Someone Already Registered It." by Olga Pascal (Optimum Web, 2026). URL: https://www.optimum-web.com/blog/ai-hallucinated-packages-slopsquatting/