# Slopsquatting Slopsquatting is a supply chain attack where attackers register package names that AI models tend to hallucinate, then wait for developers to install them. It exploits [[AI Hallucination]] rather than human typos, making it distinct from [[Namesquatting]] and traditional typosquatting. ## How it works 1. A developer asks an LLM for help with code or package installation 2. The model confidently suggests a nonexistent package name (a hallucination) 3. An attacker has already registered that hallucinated name on a public registry (npm, PyPI, etc.) 4. The developer (or an AI agent) installs the malicious package 5. Post-install scripts exfiltrate credentials, inject backdoors, or establish persistence The key insight: LLM hallucinations are not random. They're statistically predictable. The same model will repeatedly hallucinate the same plausible-sounding package names, making them reliable attack targets. ## Why it's worse than typosquatting - Typosquatting relies on human error (mistyping `cross-env` as `crossenv`); slopsquatting relies on machine error at scale - Hallucinated names often look completely different from real packages, bypassing registry similarity checks designed to catch typosquats - [[Vibe Coding]] and autonomous AI agents install packages without human review, massively increasing the attack surface - A single hallucinated name can spread across hundreds of repositories through AI-generated code ## Research findings A USENIX Security 2025 study tested 16 code-generation models across 576,000 code samples: - ~20% of samples recommended nonexistent packages - 38% of hallucinations conflate real package names (e.g., `express-mongoose`) - 13% are typo variants of real packages - 51% are pure fabrications - 43% of hallucinated packages were repeated consistently across 10 queries - 8.7% of Python hallucinations matched valid JavaScript package names (cross-ecosystem confusion) ## Real-world examples - **huggingface-cli (2024)**: Bar Lanyado of Lasso Security documented AI models repeatedly hallucinating this Python package. When registered as an empty package on PyPI, it received 30,000+ downloads in three months - **react-codeshift (2026)**: a hallucinated conflation of `jscodeshift` and `react-codemod` that spread across 237 GitHub repositories through AI-generated agent skills - **unused-imports**: AI suggested this instead of `eslint-plugin-unused-imports`; the malicious package was pulling 233 downloads/week ## Mitigation 1. **Verify packages before installing**: check publisher identity, creation date, download history, and source repository 2. **Restrict autonomous installation**: AI agents and CI/CD pipelines should not install packages without human approval or allowlist checks 3. **Use lockfiles and pinned dependencies**: prevent phantom packages from entering the dependency tree 4. **Software Composition Analysis (SCA)**: scan full dependency trees for known-malicious or suspicious packages 5. **Registry-level defenses**: package managers should flag newly registered packages that match known hallucination patterns ## References - USENIX Security 2025: study on AI-hallucinated package dependencies across 16 LLMs - Bar Lanyado, Lasso Security: original huggingface-cli hallucination research (2024) - https://x.com/BaselIsmail/status/2039677597311996389 ## Related - [[Namesquatting]] - [[Typosquatting]] - [[Dependency Confusion]] - [[Starjacking]] - [[Software Supply Chain Security]] - [[Software Composition Analysis (SCA)]] - [[Package Registry Security]] - [[AI Hallucination]] - [[AI Skill Supply Chain Security]] - [[Vibe Coding]] - [[Attack surface]] - [[Attack vectors]] - [[AI Safety]] - [[Generative AI Risks]] - [[Large Language Models (LLMs)]] - [[AI Agents]] - [[AI Agent Permissions]] - [[Data Poisoning]]