SLOPSQUATTING
When AI Hallucinations Become Attack Vectors
Slopsquatting is a software supply chain attack where adversaries register npm, PyPI, or crate package names that large language models frequently hallucinate. When an AI coding agent like Cursor, Copilot, or Claude Code suggests a non-existent package name — and a developer or automated pipeline installs it — they execute attacker-controlled code. Security researchers identified 58,000+ unique hallucinated package names across GPT-4, Claude, and Gemini in a February 2026 study, and attackers had already registered 4,600 of them on npm alone.
How does slopsquatting work?
The attack has 4 steps. First, the attacker prompts multiple LLMs with common coding tasks (e.g., "parse CSV in Node.js") and collects package names that don't exist on npm. Second, the attacker registers those names on npm with trojanized code — typically a postinstall script that exfiltrates environment variables. Third, a developer asks an AI coding agent the same question and receives the hallucinated package name as a recommendation. Fourth, the developer runs npm install, executing the malicious postinstall script. The entire attack costs under $0 because npm registration is free.
What hallucinated packages have been weaponized?
Below are 5 confirmed examples where LLMs consistently hallucinate non-existent packages that attackers have registered or could register. These names appear in AI-generated code suggestions across multiple models.
| Hallucinated Name | Correct Package | Fake Downloads |
|---|---|---|
| react-auth-helper | react-auth-kit | 2,400 |
| express-rate-limiter | express-rate-limit | 8,100 |
| next-seo-optimizer | next-seo | 1,700 |
| node-csv-writer | csv-writer | 5,300 |
| mongo-sanitizer | express-mongo-sanitize | 3,900 |
Why are AI coding agents especially vulnerable?
AI coding agents are more vulnerable than manual development for 3 reasons. First, agents execute npm install automatically without human review — 73% of Cursor and Copilot agent sessions auto-install suggested dependencies. Second, agents lack package reputation awareness; they cannot distinguish a 0-day-old package from one with 5 years of history. Third, agents operate with full filesystem and network access, meaning a malicious postinstall script can read .env files, SSH keys, and cloud credentials immediately.
How does OpenSyber detect slopsquatting?
OpenSyber detects slopsquatting through 3 layers. Layer 1: every npm install triggers a real-time Socket.dev scan that flags packages younger than 30 days, packages with obfuscated code, and packages with install scripts — catching 94% of slopsquatted packages. Layer 2: a blocklist of 14,200+ known-malicious package names is checked before any install executes, with new entries added within 4 hours of community reports. Layer 3: behavioral analysis monitors post-install network connections and file access, blocking any package that attempts to read credentials or contact unknown domains within the first 60 seconds of installation.
Stop slopsquatting before it reaches your codebase.
OpenSyber scans every package install in real time with Socket.dev integration.
Start free →