One in five AI-generated code samples recommends a package that does not exist. Attackers are registering those phantom names on npm and PyPI with malware inside. The term for this is slopsquatting, and it is already happening.
What Slopsquatting Actually Is
Typosquatting bets on human misspellings. Slopsquatting bets on AI hallucinations. The term was coined by Seth Larson, Security Developer-in-Residence at the Python Software Foundation, to describe a specific attack: register the package names that LLMs consistently fabricate, then wait for developers to install them on an AI's recommendation.
A USENIX Security 2025 study analyzed 576,000 code samples across 16 language models and found that roughly 20% recommended at least one non-existent package. The hallucinations fall into three categories. 51% are pure fabrications with no basis in reality. 38% are conflations of real packages mashed together (like express-mongoose). 13% are typo variants of legitimate names.
The part that makes this exploitable is consistency. 43% of hallucinated package names appeared every time across 10 repeated queries, and 58% appeared more than once. An attacker does not need to guess which names an LLM will invent. They ask the same question a few times, collect the phantom names, and register them.
Traditional typosquatting registers names like crossenv hoping someone will mistype cross-env. Existing registry defenses flag new package names that are too close to popular ones. Hallucinated names bypass this entirely. They are often novel strings that no filter anticipates, because no real package was the starting point.
From Theory to 30,000 Downloads
Security researcher Bar Lanyado tested this by asking multiple LLMs for Python package recommendations. They consistently hallucinated a package called huggingface-cli. Lanyado registered the name on PyPI as an empty placeholder with no malicious code. Within three months, it had over 30,000 downloads. All organic. All from developers (or their AI tools) running pip install huggingface-cli based on a model's confident recommendation.
Another package, unused-imports, was confirmed malicious and still pulling roughly 233 downloads per week as of early 2026. The legitimate package is eslint-plugin-unused-imports. Developers keep installing the wrong one because AI assistants keep suggesting it.
A sharper example surfaced in January 2026. Aikido Security researchers found that react-codeshift, a name conflating the real packages jscodeshift and react-codemod, appeared in a batch of LLM-generated agent skill files committed to GitHub. No human planted it. The hallucination entered version control through automated code generation, where other tools could pick it up and propagate it further.
How the Payload Works
The attack payload is typically a post-install script. When you run npm install malicious-package, npm executes any postinstall script defined in the package's package.json automatically. The script steals API keys, cloud tokens, and SSH keys accessible from the local environment.
Some newer variants skip embedded code entirely, using npm's URL-based dependency support to fetch payloads externally at install time. The package.json looks clean because the malicious code is downloaded at runtime. Static scanners see nothing.
There is also a cross-ecosystem angle. The USENIX study found that 8.7% of hallucinated Python package names turned out to be valid JavaScript packages. An attacker could register the same phantom name on both npm and PyPI, catching traffic from both ecosystems with a single fabricated name.
Defending Your Workflow
The best defense layers multiple checks. Here is what works today.
Lock your dependencies. Use package-lock.json, yarn.lock, or poetry.lock and commit them to version control. A lockfile pins exact versions and checksums, so even if a malicious package appears later under the same name, existing installs are not affected. Run npm ci (not npm install) in CI to enforce the lockfile strictly.
Verify before you install. When an AI suggests a package you have not used before, check it first. On npm, npm info <package-name> shows the publisher, creation date, and weekly downloads. On PyPI, check pypi.org directly. A package created last week with no README, a single version, and no GitHub link is a red flag. Cross-reference the name against the library's official documentation.
Use a scanning wrapper. Aikido SafeChain is an open-source tool for npm, yarn, pnpm, pip, and other package managers that intercepts install commands and validates packages against threat intelligence before anything hits your machine. Install it:
curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh
# Restart your terminal, then use npm/pip/yarn normally -- SafeChain intercepts automatically
npm install some-package
It is free, requires no API tokens, and adds a few seconds per install.
Sandbox autonomous agents. If you use AI coding agents that install packages without confirmation, run them inside ephemeral containers or VMs. A malicious post-install script in a throwaway Docker container cannot exfiltrate your host credentials. At minimum, restrict your agent's permissions so it cannot run npm install without your explicit approval.
Disable post-install scripts for untrusted packages. Run npm install --ignore-scripts to skip all lifecycle scripts during installation, then selectively allow scripts for known-good packages. This blocks the most common slopsquatting payload vector at the cost of some manual setup.
Add a CI gate. Integrate Software Composition Analysis into your pipeline. Tools like OWASP dep-scan flag unknown or newly published packages before they reach production. Generate and sign Software Bills of Materials (SBOMs) for every build so each dependency is auditable. If a package does not appear in your organization's approved registry, the build should fail.
The Growing Attack Surface
The scale of this problem is what matters. As AI coding tools move from pair programming to autonomous agents that install dependencies without human review, the attack surface expands. A developer who reads a suggestion and checks the docs has some protection. An AI agent running npm install in an automated loop does not.
Registries have no automated defense against slopsquatting yet. npm's existing protections catch names similar to popular packages, but hallucinated names often bear no resemblance to real ones. They are novel strings that no similarity filter anticipates.
The react-codeshift case previews the feedback loop. An LLM hallucinates a package name. An AI agent writes code using it. That code gets committed to GitHub. A different LLM trains on or retrieves that code. The hallucination spreads further. Each step increases the download count, which makes the package look more legitimate, which makes the next LLM more likely to recommend it.
Whether or not the registries catch up, the exposure falls on developers who accept AI package suggestions at face value.
Key Takeaway
Before installing any AI-suggested package, run npm info <package-name> or check pypi.org to verify it exists, its age, and its publisher. For automated workflows, install SafeChain as a drop-in wrapper, and never let an AI agent run package installs outside a sandboxed environment. The 20% hallucination rate means one in five suggestions could be a trap.
Top comments (0)