Package hallucination is the failure mode where a code assistant suggests importing or installing a package name that does not exist. In 2024 it was a research curiosity. In 2026 it is a staple of the initial-access playbook. Attackers now run the same open-weight models defenders do, scrape the hallucinated names, and register them on npm, PyPI, RubyGems, and crates.io within hours. The term "slopsquatting" entered the CVE discourse in 2025 and it is already dated.
The mechanics are simple. A developer asks Copilot, Claude Code, Cursor, or a local Qwen-based agent for a library to do X. The model emits pip install fast-json-parser-py. That package never existed. An attacker saw the same suggestion last week, registered it, and put a crypto miner in the postinstall. The developer runs the command, and the miner runs under their shell credentials.
How Bad Are Hallucination Rates in 2026?
Hallucination rates improved through 2025 but have not reached zero, and the distribution across models matters more than the headline number. The Lasso Security 2025 benchmark, re-run in February 2026 against a prompt set of 4,500 package-suggesting queries, measured:
- GPT-5 (OpenAI, API default): 1.9% hallucination rate on package names, down from 5.2% on GPT-4-turbo.
- Claude Opus 4.7: 1.1%, down from 3.4% on Claude 3.5 Sonnet.
- Gemini 2.5 Pro: 2.3%, down from 6.1% on Gemini 1.5.
- Llama 3.3 70B (self-hosted): 6.8%.
- Qwen 2.5 32B (self-hosted): 8.4%.
- DeepSeek-Coder-V3: 7.1%.
The pattern is consistent across rerun benchmarks: frontier hosted models have pushed into the 1-2% range, and self-hosted open-weight models, which run in a large share of internal agents, sit three to eight times higher. A 7% hallucination rate across an engineering org that runs 200 agent-assisted installs per day means roughly 14 hallucinated install attempts per day. Attackers need a hit rate of one per month to run a profitable operation.
Which 2025 Incidents Actually Landed?
Several typosquats that matched known hallucinated names saw four- and five-digit download counts before takedown. The most widely reported was huggingface-cli-tools on PyPI, registered in April 2025 after appearing as a repeat hallucination across multiple open-weight coding models. The package shipped a credential exfiltration routine targeting ~/.huggingface and ~/.aws/credentials and accumulated roughly 27,000 downloads before PyPI security removed it. Hugging Face confirmed the canonical tool is huggingface_hub with a different install name.
On npm, react-query-toolkit (not to be confused with @tanstack/react-query) was flagged by Socket researchers in August 2025 after hitting 41,000 weekly downloads. The package name had appeared in thousands of model outputs recommending React data-fetching libraries. It ran a postinstall that wrote a cron entry and exfiltrated .env files.
The smaller cases are the ones that should worry security teams. Phylum's quarterly reports in 2025 logged more than 1,400 typosquat packages across npm and PyPI that matched LLM-hallucinated names from their ongoing prompt corpus. Most got pulled under 100 downloads. A handful did not.
Why Do Hallucinations Keep Happening If Models Are Getting Better?
Three reasons, and none are fully solvable at the model layer. First, package ecosystems churn. A model trained in June 2025 does not know about packages renamed, yanked, or published in September 2025. RAG against the live registry helps but is not universally deployed.
Second, naming space pressure. Developers ask for libraries with very specific shapes ("a Python package to parse IMAP Sieve filters with type stubs"). When a matching package does not exist, a sufficiently confident model will still produce a plausible-sounding name rather than say "no such package."
Third, the agent loop amplifies single errors. A one-step suggestion in ChatGPT can be ignored. An autonomous agent that reads the suggestion, runs pip install, catches the ModuleNotFoundError, self-corrects, and tries pip install <slightly different hallucination> may try four variants before a human notices. Each attempt is an install-time attack surface.
What Mitigations Actually Work?
The mitigations that work are at the agent and CI layer, not the model layer. Treat model output as untrusted input. Four controls that cover most of the risk:
Registry verification before install. Before any agent or assistant executes pip install X or npm install X, resolve X against your internal mirror or a trusted registry mirror. If the package is not in your allowlist and not on a known-good public mirror older than 90 days, block the install and require human review. This is a ten-line wrapper around the package manager and it cuts the primary attack path.
Local registry first. Point all developer and CI environments at an internal proxy (Artifactory, Nexus, Verdaccio, devpi). The proxy caches packages you have already vetted and refuses new names without an approval workflow. A hallucinated package name hitting your proxy for the first time generates a ticket rather than an install.
Agent verifier tool. For autonomous coding agents, add a tool like verify_package(name, ecosystem) that the agent is required to call before any install step. The tool checks: does the package exist, how old is it, how many maintainers, what is the download trend, is it in our SBOM-approved list. Have the agent reason about the verifier's output in its plan. This prevents the agent from quietly cycling through hallucinations.
Human review gate on new dependencies. For code that adds a new entry to package.json, requirements.txt, go.mod, or Cargo.toml, require a reviewer. GitHub's dependency-review-action is a reasonable starting point. The reviewer should see: package age, maintainer count, install-script status, known vulnerabilities, and whether any other repo in your org has used it. This is the control that would have stopped both the huggingface-cli-tools and react-query-toolkit incidents.
Does Retrieval-Augmented Generation Fix This?
RAG against a live package index reduces but does not eliminate hallucination. Cursor, Cody, and the current Claude Code integration all offer some form of package-aware retrieval, and benchmarks show a 40-70% reduction in hallucination rates when retrieval is working. The residual risk is in two places: edge-case queries where retrieval misses, and ecosystems where the registry API is slow or rate-limited and retrieval silently degrades to pure generation.
RAG is also only as good as the index it queries. If the index is a public registry without provenance filtering, the agent can retrieve a malicious typosquat as confidently as a legitimate package. Retrieval should query a vetted internal mirror, not raw npmjs.com, for this to be a real defense.
How Safeguard.sh Helps
Safeguard.sh intercepts package installs before they reach your registry and validates every new name against a live graph of known-good packages, typosquat signatures, and the ongoing hallucination corpus we maintain across the top hosted and open-weight models. When an agent or developer attempts to install a package that matches a known hallucination pattern or has suspicious newness indicators, the install is blocked and Griffin AI autonomously proposes the correct canonical package with a rationale. Every install that does proceed is reflected in the generated SBOM with full provenance, so a future incident response can answer "did this hallucinated name ever land in production" in seconds. Reachability analysis then ensures that any CVE surfacing in these packages is triaged against actual code paths, cutting 60-80% of irrelevant alerts. For teams exposed through vendor AI tooling, the TPRM module tracks third-party agents and flags vendors whose install pipelines lack a verifier gate.