AI coding tools can speed up software work, but they can also create a new kind of dependency risk. Security researchers are warning about slopsquatting, a technique built around fake package names that AI systems suggest as if they were real libraries.
The issue is not only that a model can make a mistake. The danger is that the same mistake can appear often enough for attackers to notice, register the invented package name, and wait for developers to install it.
What slopsquatting means
The term slopsquatting was coined by security researcher Seth Larson. It describes an attack in which malicious actors publish harmful packages using fictional names that AI models such as ChatGPT or CodeLlama incorrectly recommend.
This differs from typosquatting. In typosquatting, attackers rely on users misspelling the name of a real library. In slopsquatting, the package name may not come from a typo at all. It may be a name the model has completely fabricated.
That distinction matters because the fake name can still look credible. A developer reading AI-generated code may see an import statement or installation instruction and assume the dependency exists. If that name has been claimed in a package repository, the developer may install attacker-controlled code without realizing the original recommendation was never grounded in a real package.
The numbers behind the risk
A study published in March 2025 found that approximately 20 percent of analyzed AI code examples contained non-existent packages. The study looked at a total of 576,000 Python and JavaScript snippets.
The problem was not limited to weaker systems. According to the source, ChatGPT-4 hallucinate packages about 5 percent of the time. Open-source models including DeepSeek, WizardCoder, or Mistral showed significantly higher rates.
The research team has not tested newer models yet. Even so, the source states that hallucinations remain an issue with the most advanced language models. For software teams, that means model quality can reduce the problem, but it does not remove the need to verify dependencies.
Why fake package names are useful to attackers
Slopsquatting becomes more serious when hallucinations repeat. The study found that 58 percent of hallucinated package names appeared multiple times across similar queries. That repetition makes the names easier for attackers to identify and target.
Socket, a company specializing in open-source security, warns that these patterns represent a "predictable attack target". In practical terms, an attacker does not need to guess every possible fake dependency. If a model repeatedly suggests the same invented name, that name can become valuable.
The study also broke down the nature of the hallucinated names. Of the hallucinated names, 38 percent resembled real packages, 13 percent were typos, and the rest were pure invention.
That mix increases the risk in different ways. A name that resembles a real package may pass a quick visual check. A typo may look like a familiar dependency entered carelessly. A fully invented name may still sound plausible enough to be accepted when it appears inside otherwise useful AI-generated code.
How the attack can reach real software
The path from AI suggestion to software supply chain risk is direct. A model suggests a package that does not exist. A developer tries to install it. An attacker registers that invented name in a repository such as PyPI or npm and publishes malicious code under it.
Once the package is installed, the harmful code enters the software without warning. The source highlights another concern: many developers rely on AI-generated code or process it automatically. That reliance can shorten the distance between a hallucinated dependency and a real installation.
The core problem is trust. AI-generated code can appear complete, coherent, and ready to run. But dependency names are not self-validating. A package name in a generated snippet is only a claim, and it needs to be checked before it becomes part of a project.
Practical safeguards for AI-generated code
Researchers recommend several measures to reduce exposure to slopsquatting. These controls focus on verifying dependencies and limiting the damage that a bad suggestion can cause.
- Never adopt package names without verification.
- Specify version numbers using lockfiles.
- Implement hash verification.
- Test AI-generated code in isolated environments.
- Reduce the temperature parameter, which controls the randomness of AI output, to help minimize hallucinations.
These steps do not require teams to stop using AI coding tools. They do require treating generated dependencies as untrusted until proven otherwise. The package name, the version, and the installation source all need the same scrutiny that teams already apply to other parts of the software supply chain.
Slopsquatting shows how AI mistakes can become attacker opportunities. A fabricated library name may look like a small error in a code suggestion, but if it is repeated, registered, and installed, it can become a real security problem.