You ask AI to write code, and the package it recommends doesn't actually exist — hackers already planted malware under that exact name
- Slopsquatting is a new supply-chain attack that exploits AI coding assistants hallucinating nonexistent package names, which attackers then register and fill with malicious code — named in April 2025 by Seth Larson, the Python Software Foundation's security developer-in-residence.
- An academic study tested 16 major code-generation models across 576,000 code samples and found 19.7% of recommended packages were hallucinated — commercial models averaged a 5.2% hallucination rate versus 21.7% for open-source models, roughly a 4x gap.
- The hallucinations are persistent: asking the same model the same prompt 10 times, 43% of fake package names showed up in every single run, and 58% repeated at least once — a predictable, stable target attackers can stake out in advance.
- This has already been proven in the real world: a security researcher registered
huggingface-cli, a fake package repeatedly hallucinated by multiple models, and it was downloaded over 15,000 times in three months — even ending up in the install instructions of Alibaba's official GraphTranslator project. - Among the mitigation methods tested, fine-tuning and combining multiple methods (ensemble) worked best, cutting the hallucination rate by about 85% — but fine-tuning noticeably hurt code-generation quality (pass@1), so there's a real trade-off between safety and capability.
Tricking you into installing the wrong package by misspelling its name — registries shut that down long ago
Installing a software package is something developers do dozens of times a day without thinking twice — one line of pip install or npm install pulls someone else's code from a public registry straight into your project. Attackers spotted this habit a long time ago.
The oldest trick is typosquatting: register a fake name that's off from a popular package by just one or two characters — say, registering crossenv when the real, widely-used package is cross-env — and bet that your fingers slip and install the malicious version instead. This trick has been around for decades, and centralized registries like PyPI and npm built protective blocklists for it long ago. A name like crossenv, off from cross-env by a single hyphen, looks like an obvious typo at a glance, so the registry blocks it outright.
It's the same trick as someone registering faceboook.com (with an extra o) to catch traffic from your typos. It looks familiar, but it's an impostor. A registry's blocklist exists specifically to catch names that look like obvious typos.
AI invents convincing package names out of thin air — and the old defenses can't tell the difference
AI coding assistants have changed this threat model. To produce the statistically most plausible answer, they'll confidently invent a package name that doesn't exist at all — and it sounds entirely reasonable. All an attacker has to do is figure out which fake names a given model likes to invent, then register a malicious package under that same name first. That's slopsquatting.
Slopsquatting combines AI slop (junk content generated by AI) with typosquatting. It was coined in April 2025 by Seth Larson, the Python Software Foundation's (PSF) security developer-in-residence, and spread after Ecosyste.ms creator Andrew Nesbitt posted it on Mastodon. It falls under the broader category of package confusion attacks — any technique that tricks developers into installing the wrong package — with typosquatting and exploiting AI hallucinations both being specific tactics under that umbrella.
The key difference: names AI invents aren't simple typos, so a registry's existing blocklists can't recognize them at all. The same blocklist produces two very different outcomes for the old trick and the new one:
crossenv is off from the real package cross-env by a single hyphen, a tiny edit distance — an obvious-looking typo at a glance. The registry's blocklist catches it immediately and blocks it.
cross-env-extended, mpn install cross-env file — these sound like legitimate extension packages, but don't correspond exactly to any real package. The blocklist can't recognize them, so they slip through.
Worse still, the brute-force fix of cross-checking generated package names against a list of known packages doesn't work either: attackers may have already registered the hallucinated package in the registry, which means the reference list itself is already contaminated.
This already happened for real: an empty package got downloaded 15,000 times
This isn't theoretical. In late 2023 and early 2024, Bar Lanyado, a researcher at security firm Lasso Security, ran a real test: he noticed that several large models kept hallucinating the same nonexistent Python package, huggingface-cli, so he actually registered that name on PyPI. The package was empty — no malicious code at all, purely an experiment.
huggingface-cliEven an empty package fooled its way to tens of thousands of downloads in three months and landed in a major company's official docs. If the package had actually contained malicious code, the infection would already have spread through the dependency chain. (Source: The Register, 2024-03-28)
Why these fake package names are worth staking out: AI keeps inventing the same name over and over
A single hallucination isn't the scary part — what's scary is that the same model, asked the same question, keeps inventing the exact same fake name. The research team randomly sampled 500 prompts that had previously triggered hallucinations, asked the same model each one 10 times, and recorded how many times the same fake package name reappeared.
The result was a clear split into two extremes: 43% of hallucinated package names appeared in all 10 runs, 39% never reappeared at all, and 58% repeated at least once. Most hallucinations are stable, reproducible behavior — ask again at a different time, in a different session, and the same fake name shows up again. For an attacker, a reliably reproducible fake name is a target they can stake out in advance and register in bulk.
What do these fake package names look like
The study also measured how similar these fake names actually are to real package names, using Levenshtein distance (edit distance). It measures the minimum number of character changes needed to turn one name into another — a small distance means the two names look alike and could be a typo, while a large distance means the two words aren't related at all.
On top of that, 81% of unique fake names only appeared on one of the 16 models tested — meaning each model essentially has its own exclusive set of hallucinations. Whichever model an attacker targets, they can harvest developers who use that specific model.
Can a model recognize the fake packages it invented itself?
The study also tested whether models can identify hallucinated packages. Mixing real and fake package names and asking the model "is this a valid Python package," GPT-4 Turbo, GPT-3.5, and DeepSeek all identified their own hallucinations with over 75% accuracy. Models appear to have an implicit self-awareness of their own generation patterns — which is exactly what opens the door for the "have the model double-check itself" mitigation discussed later.
Open-source models hallucinate 4x more than commercial ones — but nobody is fully immune
For the same coding task, which model you pick makes a huge difference in your odds of hitting a landmine. This study generated 576,000 code samples and over 2.2 million package references in total, with an overall hallucination rate of 19.7%. Broken down, commercial and open-source models differ by roughly 4x.
Looking at individual models, GPT-4 Turbo had the lowest hallucination rate at just 3.59%; even DeepSeek, the best performer among open-source models, still came in at 13.63%.
Two settings amplify the hallucinations further: the higher the temperature (the parameter controlling randomness), the more hallucinations occur — at the highest temperature, open-source models actually invented more fake packages than real ones. Even so, GPT-4 at its highest temperature (8.9%) was still nearly 4x lower than GPT-3.5 (31.8%). Separately, when asked about topics that emerged after a model's training cutoff, the hallucination rate averaged 10% higher than for older topics. For production environments sensitive to package-name accuracy, simply choosing a commercial model cuts a large chunk of this risk on its own.
There are fixes — but they force a trade-off between safety and code quality
The research team tested several mitigation methods, moving from "filter after generation" toward "prevent before generation" — with each layer working better than the last.
The most basic method is cross-filtering against a real package list after generation, but as noted earlier, attackers can poison that list — it's purely reactive damage control. A step further are two pre-generation interventions: RAG (retrieval-augmented generation) has the model look up a list of real packages before answering and feeds that into the prompt, like handing out an authoritative reference sheet before an open-book exam; self-refinement has the model judge whether each package name is real after generating it, and rewrite if it decides it's wrong, up to 5 retries. Beyond that are fine-tuning and ensemble (stacking several of the above methods together).
The chart below lets you switch between two open-source models to see how far each of the five methods drove the hallucination rate down:
Fine-tuning cuts hallucinations the most, but at the cost of the code's actual runnable quality. Measured by HumanEval's pass@1 (whether the code the model writes in one shot actually runs and passes tests — higher is more reliable), DeepSeek's pass@1 dropped from 51.4% to 25.3% after fine-tuning, and CodeLlama's from 19.6% to 16.4%. Wanting more safety means accepting a hit to coding ability. RAG and self-refinement don't cut hallucinations as aggressively as fine-tuning, but they barely hurt code quality — a more balanced compromise.
| Model | Original pass@1 | After fine-tuning pass@1 |
|---|---|---|
| DeepSeek | 51.4% | 25.3% |
| CodeLlama | 19.6% | 16.4% |
As AI writes more and more code, this vulnerability gap will only keep widening
The threat surface for this attack path is expanding fast, because more and more code is being written with AI's help.
The open-source ecosystem's overall security picture is also getting worse. A study analyzing 31,267 vulnerability samples across 10 languages found that reported vulnerabilities are growing at 98% per year — far outpacing the 25% annual growth rate of the total package count.
Even more worth watching is the share coming from deliberately malicious sources: among these vulnerability reports, 49% in the NPM ecosystem and 14% in PyPI stem from packages deliberately uploaded to be malicious. A substantial chunk of the pitfalls in these registries were dug on purpose. AI-hallucinated packages just open one more door for this kind of deliberate attack.
Two things any developer can start doing right now
This attack exploits a gap in trust: developers assume whatever package AI recommends is real, and skip verifying before installing. Closing that gap costs almost nothing — just two things.
pip install the moment you get a name.Layer on what was mentioned earlier: for scenarios where package-name accuracy really matters, choosing a commercial model — or one that's been through RAG or fine-tuning — cuts this layer of risk down even further.
A persistent hallucination is more valuable to an attacker looking to exploit this vulnerability, making this hallucination attack path a more viable threat. Paper "We Have a Package for You!", USENIX Security 2025
The old trick of tricking you into installing the wrong package just got an upgrade — from "betting on your typo" to "letting AI invent the fake name for you"
A study covering 16 models and 576,000 code samples: nearly one in five AI-recommended packages don't exist at all, and hackers are registering the same names and stuffing them with malware — already racking up 15,000 real downloads.
↓ Read the whole thing on this page · includes an animated attack-loop diagram
Programmers install "packages" every single day — ready-made code someone else wrote and packaged up, pulled into your project with a single command. Hackers spotted this habit a long time ago.
The oldest trick is "typosquatting": register a fake name off from a well-known package by just one or two characters, and bet that your fingers slip. PyPI, npm, and other public registries have built protective blocklists against it for decades.
✘ Can't block a brand-new fake name AI invented out of nowhere, far removed from any real package
The old blocklist only recognizes fake names that "look like typos" — it can't recognize new names that "sound reasonable but don't actually exist."
To give the "most plausible-sounding" answer, AI coding assistants will confidently invent a package name that doesn't exist — that's called a "hallucination." All a hacker has to do is figure out which fake names a given model likes to invent, register the same name in the registry first, and stuff it with malware. The industry has a name for this trick: slopsquatting.
Off from the real package by one hyphen — a tiny edit distance. The blocklist catches it at a glance, blocked.
Sounds like a legitimate extension package, but doesn't exactly match any real package. The blocklist can't recognize it — it slips through.
Worse still: this fake name isn't a one-off accident — the same model keeps inventing the same one over and over, which lets hackers stake it out in advance.
The research team asked the same model the same question 10 times in a row; 43% of the fake names came out every single time, and 58% reappeared at least once. This isn't random noise — it's a stable target that can be staked out in advance. The whole attack chain turns into a closed loop simply because the fake name keeps reappearing:
How much a model hallucinates is strongly tied to which model you pick — and as AI writes more and more code, this gap will only widen. First, let's put it plainly: out of 100 package references written by a given model, how many are fake?
All the hallucination-rate figures come from real-world testing in an academic paper (arXiv:2406.10279, USENIX Security 2025), and the 15,000 downloads come from a real experiment by security firm Lasso Security — none of this is vendor self-promotion. A separate "50%–82%" figure comes from a medical-scenario study, a different measure entirely — don't conflate the two.
crossenv (fake — missing one hyphen)
Registries handled that ages ago
but this defense is about to fail...
but it doesn't exist — AI made it up out of thin air
nearly one in five AI-recommended packages is made up
Snuck right in
how bad can it be?
this name
even landed in Alibaba's official install instructions
to see if this package is even real
- × Don't install the moment you get a name
- × Don't assume "AI recommended it, so it must be real"