📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
A developer asks their AI coding assistant for a Python package to handle JWT validation. The AI recommends python-jwt-validator with a confident description of its API, usage examples, and a note that it has over 2 million weekly downloads. The developer runs pip install python-jwt-validator. The package installs. The code runs. Six weeks later, a security audit finds that the package exfiltrated environment variables to an external server on every import.
python-jwt-validator doesn’t exist in any AI training data as a legitimate package. The AI hallucinated it. An attacker found that AI coding assistants consistently recommended it for JWT tasks, registered it on PyPI with malicious code, and waited for developers to follow the AI’s confident recommendation. This attack class has a name now: slopsquatting. And it’s one of several ways adversaries have learned to weaponise AI confabulation rather than fight it. Let learn how hacker conduct AI Hallucination Attacks in 2026.
🎯 After This Article
How slopsquatting works — and why AI hallucinated package names are a persistent supply chain attack surface
CVE fabrication attacks — how attackers use hallucinated vulnerability advisories in social engineering
Hallucination amplification — the prompting patterns that push AI systems to confabulate on demand
How to test an AI system’s hallucination rate under adversarial conditions
Practical defences for development teams using AI coding assistants in security-sensitive workflows
⏱️ 20 min read · 3 exercises · Article 26 of 90 ### 📋 Contents 1. Slopsquatting — When the Package the AI Recommends Doesn’t Exist Yet 2. CVE Fabrication — Hallucinated Vulnerability Advisories 3. Hallucination Amplification — Pushing AI to Confabulate 4. Testing AI Systems for Adversarial Hallucination 5. Defence — What Actually Works for Development Teams ## Slopsquatting — When the Package the AI Recommends Doesn’t Exist Yet The mechanics of slopsquatting are straightforward. AI models trained on code repositories learn associations between task descriptions and package names — associations that include packages that were mentioned speculatively, existed briefly then were deleted, or were simply confabulated during training data generation. When developers prompt AI assistants with “how do I implement X in Python/Node/Rust,” the model recommends based on these learned associations, including names that don’t correspond to real published packages.
An attacker identifies these consistently hallucinated names — by testing AI assistants at scale with common task prompts and noting packages recommended that don’t exist on the relevant registry. They then register those package names with malicious code. The code typically looks legitimate (it may even implement the described functionality) while also executing a malicious payload on import: environment variable exfiltration, credential theft, reverse shell establishment, or persistence installation.
The attack is particularly effective because it bypasses almost every traditional supply chain defence. The attacker isn’t typosquatting an existing trusted package — they’re registering a genuinely new name. Dependency scanning tools that check against known-malicious packages won’t flag it. Version pinning doesn’t help if developers install it the first time on the AI’s recommendation. The vulnerability is in the developer’s trust in the AI, not in any package security control.
Do you verify AI-recommended packages before installing them?
Always — I check the registry every time Usually — if it’s an unfamiliar package Rarely — I trust the AI recommendation I didn’t know this was a risk
SLOPSQUATTING — HOW TO IDENTIFY HALLUCINATED PACKAGE NAMESCopy
Test AI for package hallucinations — query with common task prompts
AI query: “Best Python package for JWT authentication in FastAPI 2026”
AI query: “Node.js package to parse and validate JWTs without dependencies”
AI query: “Rust crate for AES-256-GCM encryption that’s actively maintained”
For each recommended package, verify existence on registry
pip index versions [package-name] # PyPI check
npm view [package-name] version # npm check
cargo search [crate-name] # crates.io check
If package doesn’t exist → hallucination identified
Check download stats and creation date if it DOES exist
Legitimate package: exists for years, thousands of downloads, contributors
Squatted package: created recently, few downloads, single contributor, unusual code
Static analysis for recently registered packages
pip download [package-name] –no-deps -d ./pkg_audit/
unzip ./pkg_audit/*.whl -d ./extracted/
grep -r “requests|urllib|socket|subprocess|exec|eval” ./extracted/
securityelites.com
Slopsquatting Attack Chain
STEP 1
Attacker queries AI assistants at scale with common task prompts → identifies packages AI consistently recommends that don’t exist on registries
↓
STEP 2
Attacker registers hallucinated names on PyPI/npm/crates.io with malicious code that implements plausible functionality + payload
↓
STEP 3
Developer asks AI assistant for package recommendation → AI confidently recommends attacker’s package → developer installs without verification
↓
PAYLOAD
Package import exfiltrates env vars, installs persistence, or establishes reverse shell → attacker has code execution in developer environment
DEFENCE: Verify every AI-recommended package exists on the registry with expected history before installing. No exception for “trusted” AI assistants.
📸 Slopsquatting attack chain. The attacker’s leverage is the AI’s confidence — a hallucinated package recommendation arrives with the same certainty as a recommendation for numpy or requests. Traditional supply chain defences (dependency pinning, known-malicious package scanning) don’t intercept this attack because the package name was never associated with a trusted version. The only effective interception point is verification before install.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)