Slopsquatting Festival
Hallucinated package names get squatted by attackers — and your AI keeps installing them.
What it is
AI confidently imports react-csv-parser. There is
no such package — until an attacker, watching public AI
output, registers the name. The next AI session — yours
— runs npm install. It works. It does what
you asked. It also does whatever the attacker wants.
How it happens
Models hallucinate package names that fit the pattern of real
ones — fastify-jwt-auth,
aws-lambda-helpers,
react-async-debounce. The hallucination frequency
is high enough that “slopsquatting” became a viable
attack vector: scrape public AI outputs, identify the names
that don’t exist on the registry, pre-register them, ship
something that does what the name implies plus a malicious
install hook. Wait for the AI-generated installs to roll in.
The specific AI failure chain: the model produces an import line for a plausible-sounding library. The developer (or, increasingly, an autonomous coding agent) runs the install. The registry has a package by that name. The install succeeds. The post-install script runs with the developer’s credentials and network access. The imported code works because the package legitimately implements the obvious behavior — the malice is in the install hook, the build artifact, or the dependency tree the new package pulls in.
Why it’s dangerous
Real attacks have already happened on PyPI and npm. The blast radius is the supply chain: credentials exfiltrated at install time, build artifacts compromised, downstream consumers infected when the next release ships. Unlike most slop, this one is actively adversarial — there is a person on the other end specifically targeting your AI’s tendencies, and they don’t need to compromise you, only your dependency resolver.
The AI-era hinge: pre-AI, “made up a package name and installed it” required uncommon carelessness. Post-AI, it’s the default failure mode, it scales with model velocity, and the attacker’s ROI scales with how widely deployed the AI assistant is. The cost lands on whichever team had AI install a dependency without verifying it.
How to prevent it
Don’t let AI-suggested dependencies land without verification. The friction signal is the new import line — every new dependency is a security boundary, and crossing it requires affirmative evidence the package is real, maintained, and benign. AI is excellent at the verification work too: ask it to confirm the package exists, who maintains it, how long the maintainer account has existed, when the last release shipped, and whether the install scripts do anything unexpected. The same model that suggested the package can do the homework on it.
Scale to stakes: trivial dev-only utility in a sandbox is different from a production runtime dependency. The signal that you’ve mis-scaled is when a dependency lands on production servers without anyone having checked the maintainer.
The serious team fix
Three things, reinforcing each other:
- A team habit of justifying every new dependency. PRs that add a dependency call it out explicitly — name the maintainer, link the source repo, explain why writing the code in-house (with AI’s help) was rejected. Most “small utility” imports lose this argument the moment it’s made out loud. The habit moves the dependency decision from invisible to defended.
- An AI-leveraged dependency-verification agent. A slash command, pre-commit hook, or CI step that takes every new import and checks the registry: does the package exist? Who owns it? How old is the account? Are there install hooks? Has any version been pulled for malware? Does the maintainer domain look squatted? AI does the legwork and produces a verdict; the human reviews the surfaced risks instead of doing the lookups by hand.
- A private registry mirror with an allowlist, lockfile enforcement, and sandboxed install hooks. New dependencies don’t reach developer machines or CI until a human approves them into the allowlist. Lockfiles are required and verified at every install. Post-install scripts execute in a sandbox that can’t reach the network or the developer’s credentials. The supply chain is closed by default, not by trust.
The shift is: the attacker is reading the same AI output you are. The dependency line is now a security boundary; treat it like one, and let the AI do the boundary-checking work it wouldn’t do on its own.