20% of AI-Generated Code References Packages That Don't Exist
of AI-generated code samples reference non-existent packages. Attackers register these hallucinated names on npm and PyPI with malicious post-install scripts — a supply chain attack called slopsquatting.
The Attack
Slopsquatting is a supply chain attack that weaponizes AI hallucinations. When an AI coding assistant generates code, approximately 20% of the time it references packages that do not exist — names that sound plausible but have never been published to any registry. Attackers monitor these hallucinated names, register them on npm or PyPI, and fill them with malicious post-install scripts that steal credentials from the developer’s environment.
The term was coined by Python core developer Seth Larson as a variant of typosquatting. Where typosquatting exploits typing errors (reqeusts instead of requests), slopsquatting exploits the AI’s confident generation of fictional dependencies.
Why It Works
Three properties make this attack unusually effective:
-
Predictability: 43% of hallucinated package names recur across multiple AI runs. The same models hallucinate the same fake packages repeatedly, giving attackers stable targets to register.
-
Confidence: AI assistants present hallucinated packages with the same authority as real ones. There is no hedging, no “this package may not exist.” The import statement looks identical to a legitimate dependency.
-
Automation: Developers using AI coding agents often have automated pipelines that run
npm installorpip installon generated requirements without manual review. The malicious package installs, its post-install script executes, and credentials are exfiltrated — all before the developer reads the generated code.
Real-World Cases
-
huggingface-cli: Researchers at Lasso Security discovered AI models repeatedly hallucinating this package name. It was flagged before an attacker could claim it, but the pattern demonstrated the attack’s viability.
-
starlette-reverse-proxy: Trend Micro observed an AI agent “confidently” generating code that imported this phantom Python package, with the build crashing on “module not found” — the only thing that prevented exploitation was that no attacker had registered it yet.
The Numbers
In a study of 576,000 AI-generated Python and JavaScript code samples, 20% included at least one non-existent package. Across the broader ecosystem, the JavaScript and Python registries are the highest-risk targets given the volume of AI-assisted development in those languages.
The Lesson
Every import statement generated by an AI assistant is an implicit trust decision. If your pipeline installs dependencies without verifying they exist in a known-good lockfile, you are one hallucination away from a supply chain compromise. Lockfiles, provenance tracking, and automated package validation are not optional when AI writes your dependency list.