Large language models don't just get facts wrong in chat windows — they invent software dependencies that developers then install. Researchers at the University of Texas at San Antonio generated more than 576,000 code samples across 16 popular LLMs and found that 19.7% of them recommended at least one package that doesn't exist anywhere in the npm or PyPI registries. Attackers have already noticed. Security researcher Bar Lanyado proved the risk was exploitable in 2023 by publishing a real package under a name ChatGPT kept hallucinating, watching it rack up 30,000+ downloads, and finding the same fake dependency referenced in a repository owned by Alibaba. The Python Software Foundation now has a name for this attack class: slopsquatting. As AI coding assistants write a growing share of production code, a model's confident-sounding guess about a library name is becoming a real, exploitable entry point into the software supply chain — and most CI pipelines have no control designed to catch it.
What is an AI hallucination, and why does it matter for software security?
An AI hallucination is output an LLM generates with high confidence that is factually wrong or entirely fabricated, and in coding contexts this most often takes the form of a package, function, or API that doesn't actually exist. Unlike a human typo, a hallucinated package name is often plausible and grammatically consistent with real naming conventions in an ecosystem — python-json-logger instead of python-json-logger-config, or a -utils suffix tacked onto a real project name — which is exactly why developers copy-paste it without a second look. The 2024 USENIX Security paper "We Have a Package for You!" catalogued more than 205,000 unique hallucinated package names across the models it tested, a large enough namespace that attackers can mine it for high-value targets rather than guessing blindly. Once a developer's pip install or npm install succeeds against a squatted name, the malicious package executes with the same privileges as any legitimate dependency.
How often do AI coding assistants hallucinate package names?
Open-source and commercial LLMs both hallucinate packages, but at meaningfully different rates — the USENIX study found open-source models like CodeLlama and DeepSeek hallucinated in roughly a fifth to a third of samples, compared to a single-digit percentage for GPT-4-class commercial models. Just as concerning: hallucinations aren't random noise that disappears on retry. When researchers reran identical prompts ten times, 43% of hallucinated package names repeated across every single run, and 58% appeared in more than one run. That predictability is the entire premise of slopsquatting — an attacker doesn't need to guess a typo a human might make, they just need to run the same prompts a developer would run, harvest the recurring hallucinated names, and register them before anyone else does. Separately, Lasso Security's 2023 test of over 400 "how do I" coding questions across ChatGPT, Google Bard (now Gemini), and Cohere found hallucinated packages appeared in roughly 30% of responses.
What is slopsquatting and how is it different from typosquatting?
Slopsquatting is the practice of registering a package name that an AI model hallucinates, betting that developers using that model will install it without verifying it's real — the term was coined in 2024 by Seth Larson, the Python Software Foundation's Security Developer-in-Residence. Traditional typosquatting relies on a human mistyping reqeusts instead of requests; slopsquatting instead relies on the AI itself doing the work of generating a name that looks legitimate and, critically, doing so consistently enough that attackers can pre-register it. Lanyado's original proof of concept targeted exactly this pattern: he asked ChatGPT for a package to solve a common Python task, it repeatedly suggested huggingface-cli (a name distinct from the real Hugging Face Hub CLI package), and he published a harmless stand-in under that name to measure uptake. It picked up over 30,000 downloads in three months with zero promotion, and Lanyado found the hallucinated name pulled directly into a GitHub repository maintained by Alibaba's own engineering team, where it had been listed as an installation dependency.
Has slopsquatting led to real-world compromises yet?
As of mid-2026 there is no widely disclosed breach publicly attributed to a weaponized slopsquatted package, but the Alibaba case shows the attack chain works end-to-end short of malicious payload delivery, and the registries are already seeing the setup phase play out. Socket's ongoing monitoring of npm and PyPI has flagged clusters of newly published packages whose names correspond to strings LLMs are known to hallucinate, consistent with speculative squatting rather than organic development. This is the same lag pattern the industry saw with typosquatting circa 2016–2017 and with malicious-maintainer takeovers like the event-stream incident in 2018 — the technique is demonstrated and the registration infrastructure is in place well before the first confirmed large-scale compromise becomes public. Waiting for a named CVE or breach disclosure before treating this as a real risk means acting after attackers have had a multi-year head start, not before.
How can development teams detect and prevent hallucination-driven dependency risks?
Teams can materially cut this risk by verifying every new dependency against registry metadata and provenance before it ever reaches a lockfile — checking publish date, maintainer history, and download count for anomalies like a package that's two weeks old with no prior version history. Concretely: pin dependencies by hash in lockfiles rather than loose version ranges, so an AI-suggested package can't silently resolve to a same-named malicious upload later; route any AI-assisted code through the same dependency review gate as human-written code, since a hallucinated import looks identical to a legitimate one in a diff; and maintain an internal allowlist or private registry mirror for high-risk ecosystems (npm and PyPI account for the large majority of documented hallucinations) so unrecognized package names fail the build instead of installing silently. Generating and diffing a software bill of materials on every build catches the moment a hallucinated dependency enters the tree, even if it slips past a rushed code review.
How Safeguard Helps
Safeguard closes the gap between "an AI suggested a dependency" and "that dependency is running in production." Our platform generates and ingests SBOMs on every build so a newly introduced package — hallucinated, typosquatted, or otherwise — is visible and diffable the moment it lands, rather than discovered during an incident. Reachability analysis then determines whether that new dependency's code actually executes in your application, cutting through alert noise so teams aren't chasing packages that were suggested but never called. Griffin AI cross-references package provenance, publish history, and maintainer signals to flag names consistent with known hallucination or squatting patterns before they're merged, and Safeguard's auto-fix PRs propose the verified, legitimate package or a pinned-hash correction directly in the pull request — turning a manual dependency-review bottleneck into a one-click fix.