A new class of software supply chain attack is exploiting a fundamental weakness in AI coding assistants: their tendency to hallucinate. Dubbed slopsquatting — a portmanteau of "AI slop" and "typosquatting" — the threat allows cybercriminals to preemptively register fake package names that LLMs routinely invent, then populate them with malware.
What Is Slopsquatting?
When a developer asks an AI coding assistant to help write code, the model may recommend fictitious open-source packages that simply don't exist. On its own, that's just an annoyance. But when an attacker registers that hallucinated package name and uploads malicious code to it, the fake dependency becomes a live threat — embedded directly into a developer's codebase.
This differs fundamentally from classic typosquatting, where attackers register misspelled variants of popular libraries (e.g., crossenv instead of cross-env). Package registries have built defenses against that technique over decades. Slopsquatting bypasses those protections entirely — hallucinated names like cross-env-extended or mpn install cross-env file aren't flagged as suspicious.
Why AI Makes This Worse
LLMs generate the statistically most probable output, not the most accurate one. This means:
- Hallucinated package names tend to be consistent across queries and models — not random noise
- Attackers can study which fake packages a given model repeatedly recommends, then register exactly those names
- Because the hallucinations sound plausible and appear in coherent code context, developers rarely question them
One study found hallucination rates ranging from 50% to 82% depending on the model and prompting method. Even GPT-4o, the best-performing model tested, had a floor of 23% — even with prompt-based mitigation applied.
The Scale of the Problem
Research analyzing 576,000 code samples and 2.23 million packages across 30 systems found that 19.7% of generated packages were hallucinations. Key findings by model:
- GPT-4.0 Turbo: 3.59% hallucination rate
- DeepSeek 1B (best-performing open-source model): 13.63% hallucination rate
- Proprietary models are roughly 4x less likely to produce hallucinated packages than open-source alternatives
A separate study on open-source vulnerabilities found reported flaws growing at 98% annually — nearly four times the 25% annual growth rate of open-source packages themselves — with an 85% increase in average vulnerability lifespan.
Vibe Coding Expands the Attack Surface
The rise of vibe coding — relying heavily on AI to generate functional code with minimal manual review — is compounding the problem. Developers estimate that over 40% of committed code already includes AI assistance, and that figure is expected to grow. Currently, 72% of developers who have tried AI coding tools use them daily.
As AI-assisted development becomes the norm, the population of developers unknowingly incorporating unverified dependencies is expanding rapidly.
Adversarial Amplification
The threat doesn't stop at passive hallucination. Attackers can actively use token-level manipulation or retrieval poisoning to steer models toward recommending specific hallucinated package names — ones they've already registered and weaponized. This transforms slopsquatting from an opportunistic attack into a targeted, repeatable campaign.
"Once attackers realize this disparity, they may manipulate proprietary LLMs to take advantage of perceived safety."
How to Defend Against It
Organizations can reduce slopsquatting exposure through a combination of process and tooling:
- Validate every AI-recommended package against official registries before installation
- Implement automated checks that flag package names not found in known, trusted repositories
- Monitor for unusual package installations in CI/CD pipelines and production environments
- Maintain threat intelligence on known slopsquatting campaigns and hallucinated package names
- Prefer proprietary models for code generation tasks where supply chain risk is a concern — while remaining aware that the gap may narrow as attackers adapt
Slopsquatting is still an emerging threat, but its ingredients — persistent LLM hallucinations, low-friction package publishing, and growing developer reliance on AI — are already in place. The window to build defenses before widespread exploitation is narrow.



