Key Takeaways
- AI coding assistants hallucinate fake package names that sound legitimate, creating a new attack surface typosquatting defenses cannot catch
- Attackers register these hallucinated names and wait; developers pull malware directly into production because the AI recommended it
- Vulnerability growth (98% annually) already outpaces package growth (25%); slopsquatting will accelerate this divergence
- No registry-level fix exists because the threat isn't misspelling — it's plausible invention at scale
The industry spent years hardening package registries against typosquatting. Cross-env got crossenv blocked. Requests got requessts flagged. The defenses work because the attack pattern is predictable: humans mistype, attackers anticipate. Slopsquatting breaks the model entirely. Large language models don't mistype. They invent. They conjure package names that follow every naming convention, sound perfectly plausible, and exist nowhere — until an attacker registers them.
This is not a hypothetical. Researchers found that LLMs consistently hallucinate the same fictitious packages across multiple runs. That consistency is the kill shot. An attacker who maps the hallucination space of popular coding assistants knows exactly which names to register. They don't need to guess what developers might type. The AI tells developers what to type. The recommendation carries the weight of authority. A junior developer sees "cross-env-extended" suggested by their copilot and installs it. The registry sees a legitimate new package. No alarm fires.
The numbers already screamed before slopsquatting had a name. Vulnerabilities growing at 98 percent annually. Package count growing at 25 percent. Average vulnerability lifespan up 85 percent. The supply chain was drowning in legitimate flaws. Now attackers get a zero-day factory: they register the hallucination, publish clean code, wait for adoption, then push a malicious update. The payload reaches production environments that trusted the AI's judgment. The trust chain is developer → AI → registry → attacker. Every link believes the previous one validated the next.
Registry maintainers will argue they can scan for malicious behavior. They always argue that. But behavioral scanning catches payloads, not intent. A package that behaves perfectly for six months then exfiltrates credentials passes every scan until it doesn't. The hallucinated name gives attackers persistence. They don't need to trick a human into a typo once. They need the AI to hallucinate the same name repeatedly — which it does. The attack surface replenishes itself every time a developer prompts "install a package for X."
Mitigation proposals miss the point. "Verify package names before install" assumes developers have time, expertise, and a ground truth to verify against. They have none of those. They have an AI that writes code. "Use private registries with allowlists" works for enterprises that curate every dependency. It fails for the vast middle — startups, contractors, open-source maintainers — who move fast and trust the ecosystem. "Train models to stop hallucinating packages" is a research problem with no shipping date. Hallucination is inherent to probabilistic generation. You cannot align it away.
The uncomfortable truth: AI coding assistants have become unwitting supply chain brokers for malware. They surface attack surfaces that didn't exist yesterday and won't exist tomorrow — replaced by new hallucinations, new registrations, new malicious updates. The registry model assumes human intent. Slopsquatting exploits synthetic intent. No patch fixes a broken threat model.
Regulators treat AI risk as misinformation. They're wrong. This is software integrity risk. A hallucinated package name is not a wrong answer. It is a supply chain injection vector. The industry must stop treating AI output as suggestions and start treating it as untrusted input. Every package name an AI emits should be verified against a known-good index before installation. Every registry should flag names that appear only in LLM outputs and not in human publishing history. The tooling doesn't exist yet. Build it.