AI is Hallucinating Package Names - And Hackers Are Ready

The 19.6% Problem Nobody's Talking About

If you're using AI to help write code (and let's be honest, who isn't?), there's a 1 in 5 chance it's telling you to install packages that don't exist.

Worse? Hackers know this. They're already registering these phantom packages with malware.

What is Slopsquatting?

Seth Larson from the Python Software Foundation coined the term "slopsquatting" to describe this emerging attack vector. It's like typosquatting's evil AI-powered cousin.

Here's how it works:

1. AI hallucinates a plausible package name (e.g., 'express-validator-extended')
2. Attackers analyze AI outputs to predict these hallucinations
3. They register the fake packages with malicious code
4. Developers copy-paste AI suggestions (or autofill them with agentic tools) and unknowingly install malware

The Numbers Are Staggering

The USENIX 2025 study tested 16 coding models and found:

• Average hallucination rate: 19.6%
• Commercial models (GPT-4, Claude): 5.2%
• Open-source models: 21.7%
• Total unique hallucinated packages found: 205,474

Real-World Example: huggingface-cli

Researchers created a dummy package called huggingface-cli - a name frequently hallucinated by AI models.

Results after 3 months:

• 30,000+ downloads
• Major companies had it in their requirements
• Zero actual functionality (thankfully just empty, not malicious)

Why Traditional Security Tools Miss This

Your current security stack probably includes:

• Dependency scanners: Check known vulnerabilities in real packages
• SAST tools: Analyze your code for security issues
• License compliance: Ensure you're using approved packages

But none of these ask: "Should this package even exist?"

The Detection vs. Remediation Gap

Even if tools could detect slopsquatting, there's a bigger problem:

  // What current tools do:
  "⚠️ Warning: 'express-auth-validator' may not be a legitimate package"

  // What fast-moving teams need:
  "✅ Fixed: Replaced with 'express-validator' and updated imports"

Most security tools stop at detection. But with AI generating code 10x faster, we need automated fixes that match that speed.

Building AI-Aware Security

At RSOLV, we're tackling this with a three-pronged approach:

1. AI-Era Detection

def detect_hallucinated_package(package_name, language):
  # Check package registry existence
  # Analyze naming patterns common in hallucinations
  # Compare against known AI suggestion patterns
  # Check registration date vs AI training cutoffs

1. Automated Remediation

Instead of just flagging issues, we:

• Identify the likely intended package
• Generate a working fix
• Create a PR with the corrected dependency
• Include security impact analysis

This is actually our primary value offering, and a lot of what enables ripping through slopsquatting as a lightweight side project instead of a full product offering!

1. Success-Based Alignment

We only get paid when you merge our fixes. No false positives eating your budget. No seat licenses for tools that just create more backlog.

What You Can Do Today

Immediate Steps:

1. Audit recent AI-assisted code for suspicious package names
2. Check package creation dates - be wary of very new packages
3. Verify package legitimacy before installing:

# Check npm
npm view [package-name]

# Check PyPI
pip show [package-name]

# Check with your favorite package manager

Long-term Protection:

1. Implement registry validation in your CI/CD pipeline
2. Use AI coding tools with caution - always verify package suggestions
3. Consider automated remediation for when issues are found

The Future of AI Security

As AI adoption accelerates, we're seeing entirely new vulnerability classes emerge. Slopsquatting is just the beginning.

The security industry needs to evolve from:

• Reactive → Proactive: Anticipating AI-specific threats
• Detection → Remediation: Fixing faster than AI can create problems
• Generic → Contextual: Understanding AI behavior patterns

Join the Conversation

We're building in public and sharing our discoveries along the way. Check out our first IndieHackers post where we dive deeper into how we discovered this while building automated security remediation.

Want to see if your codebase has AI-hallucinated dependencies? Pay us a visit at RSOLV.dev - we detect and fix security issues automatically.

What's your experience with AI code generation? Have you noticed any suspicious package suggestions? Let's discuss in the comments!