Slopsquatting: when your AI coding assistant invents a vulnerability

Placeholder body — replace with the real article. This draft exists only so every styled element renders on first boot.

Large language models hallucinate package names. A developer asks for an import, the model confidently returns one that does not exist, and an attacker registers it before anyone notices. The exploit is old. The throughput is new.

the mechanism

The model does not know which packages are real. It predicts plausible strings, and a plausible string is exactly what a squatter needs to anticipate.

The supply chain didn’t get a new weakness. It got a new, tireless author of typos — one that ships the same mistake to thousands of repos before lunch.

Three things make this worse than classic typosquatting:

• the suggestion arrives inside the editor, where trust is already high
• the same hallucinated name recurs across many users and sessions¹
• nobody typed it, so nobody feels responsible for checking it

what actually changes

Here is the part the hype gets wrong: the defense is not new either. Pin versions, verify provenance, and treat generated imports as untrusted input — the same hygiene that predates the model.

$ npm install requests-py
npm warn  package not found in registry mirror
npm error this name was suggested by an assistant, not by you

The fix is boring. Boring is the point.

Footnotes

1. Determinism in the failure mode is what turns a one-off mistake into a reliable target. The attacker only needs the model to be consistently wrong. ↩