The rise of AI hallucinations has introduced a new supply chain threat known as slopsquatting. This threat emerges as developers increasingly depend on AI coding assistants, inadvertently providing cybercriminals with access to their software from the outset.Â
Understanding Slopsquatting
Slopsquatting is an innovative form of supply chain attack that leverages large language model (LLM) hallucinations to insert malicious code into development processes. The term merges “AI slop” with “typosquatting,” which is a tactic where attackers register altered or similar versions of popular domains to mislead users who mistype URLs.
This new attack exploits LLMs’ propensity to create non-existent software package names. Cybercriminals can register these names and fill them with harmful code.
In AI-assisted coding, the model might suggest non-existent open-source packages, which are collections of files, programs, and installation tools. While this in itself isn’t dangerous, if an attacker registers the fictitious package name, they can inject malware directly into a developer’s codebase.
AI-Induced Supply Chain Risks
Historically, AI safety concerns arose from hallucinations, potentially misguiding users who accept misinformation as true. These hallucinations have now morphed into exploitable security threats.
Typosquatting, where cybercriminals register misspelled versions of popular packages to deceive developers, has been a long-standing threat. Registries have developed defenses against it.Â
However, AI alters the threat landscape by suggesting plausible-sounding fictional packages instead of simple misspellings. Once attackers identify the fake packages frequently generated by models, they can register malware-laden packages under those names.
Since these hallucinated packages aren’t merely typographical errors of known libraries, there are no broad defenses against them. For example, while a registry might block a fake “crossenv” package mimicking “cross-env,” it might not flag “mpn install cross-env file” or “cross-env-extended” as threats.
Persistent and Severe Hallucinations
Even if multiple LLMs suggest the same fictitious package, wide-scale compromise remains a risk. Malicious packages might go unnoticed in production for extended periods, allowing attackers to surreptitiously inject malware into numerous environments.Â
A research team analyzed 31,267 vulnerabilities in 14,675 packages across 10 programming languages. They found that vulnerabilities are growing at an annual rate of 98%, outpacing the 25% yearly increase in open-source software packages. The study also noted an 85% rise in the average lifespan of vulnerabilities, signaling a reduction in security.
Real-world Impact of AI Hallucinations
Cybercriminals can develop open-access packages using the same names as frequently hallucinated libraries. These packages contain malware instead of legitimate code. Since models believe they refer to real packages, the same fictitious names are often repeated. As these hallucinations aren’t random, attackers could potentially register packages that deceive thousands of developers.
The deceptive packages appear legitimate because of their resemblance to genuine libraries. Minor typos might seem like simple errors rather than malicious actions. Even entirely made-up names seem credible when AI provides them in context. Detecting these threats is difficult, as developers trust their coding assistants to suggest valid dependencies.
Why LLMs Generate Hallucinated Packages
LLMs aim to produce the statistically probable response rather than ensuring accuracy, leading to frequent hallucinations. A study found hallucination rates range from 50% to 82%, depending on the model and prompting technique. Even the top-performing model, GPT-4o, has a minimum hallucination rate of 23% despite prompt-based mitigation.
Adversarial hallucination attacks could exacerbate this problem. Cybercriminals might employ token-level manipulation or retrieval poisoning to make models hallucinate in specific ways, boosting the chance of recommending their harmful packages.
LLMs Vulnerable to Slopsquatting
All LLMs risk slopsquatting, but some are more susceptible than others. The likelihood of generating hallucinated packages during code creation varies by model. Proprietary models are four times less likely to produce such packages compared to open-source models.
A research group demonstrated this by conducting 30 tests on 30 different systems. Among 576,000 code samples and 2.23 million packages generated, 19.7% were hallucinations. The GPT-4.0 Turbo model had a 3.59% hallucination rate, while DeepSeek 1B, the top-performing open-source model, had a rate of 13.63%.
This research indicates that organizations using open-source AI tools for code generation face a fourfold increase in exposure to slopsquatting attacks. However, this doesn’t imply proprietary tools are always safer. Once attackers become aware of this difference, they may exploit proprietary LLMs to benefit from perceived safety.
The Role of Vibe Coding
Developers using AI tools believe that over 40 percent of their code involves AI assistance. They anticipate this percentage to grow significantly in the near future. Currently, 72% of AI users engage with it daily.
The increase in vibe coding and AI-assisted coding extends the threat landscape. As more developers incorporate AI tools into their workflows without proper verification, the exposure to slopsquatting continues to grow.
For developers relying on AI for coding assistance, verifying outputs is crucial. Ensuring recommended packages are available in official repositories before adding them to projects can mitigate risks.
Guiding AI-Assisted Development
Automated checks to validate package names against known registries can prevent hallucinated packages from entering production code. Security teams should also monitor for unusual package installations and keep threat intelligence updated on known slopsquatting activities.
Zac Amos is the Features Editor at ReHack.

