Class vulnerability — Slopsquatting (LLM-hallucinated package names)
Slopsquatting is a 2025-coined supply-chain class (Seth Larson) where an LLM hallucinates a plausible-looking package name that does not exist in the registry; an attacker pre-registers the hallucinated name with a malicious payload; the next developer who runs the AI-suggested install command pulls the malware. Distinct from typosquatting (which mimics an existing real package).
- Any project using AI coding assistants (Cursor, Copilot, Claude Code, Cline, Continue, Lovable, Bolt, v0, Replit) without dependency-name verification
- npm + PyPI + RubyGems + Go modules registries equally affected
- 5-20% of AI-suggested package names are hallucinated (Socket / Snyk research 2024-2025)
What an attacker does
A developer asks an AI coding assistant to add a JWT helper to their project. The model outputs `npm install jwt-helper-utils` — a name that sounds real but does not exist in the npm registry. The developer copy-pastes the command. An attacker monitoring LLM-suggested package patterns has already registered jwt-helper-utils on npm with a malicious post-install script; the package downloads, runs, and exfiltrates env vars + .npmrc credentials. Variants observed in the wild on npm + PyPI in 2025-2026 include hundreds of hallucinated names registered defensively or maliciously.
How to detect
Audit every AI-generated install command against the registry before running it. Verify each suggested package is the canonical / intended one — check publisher identity, weekly downloads, age (first-published date), and GitHub repo link. Securie's dependency-vuln specialist flags packages first-published <30 days with low download counts, no linked GitHub repo, or publisher mismatch against the AI-suggested pattern.
How to fix
Never trust AI-suggested package names verbatim. Pin reviewed packages explicitly in package.json / requirements.txt / Gemfile. Use a private mirror or allow-list registry for production builds. Run dependency review on every PR. For Python, prefer pinned wheels and reject packages whose first-publish date is post-suggestion. For Node, scope dependencies to known publishers (`@vendor/*` namespace).
Class-vulnerability — slopsquattingHow Securie catches Class-vulnerability — slopsquatting
Securie's dependency-vuln specialist + secret_scanner flag AI-suggested packages first-published <30 days, low download counts, no GitHub repo, or publisher mismatch. The intent-graph cross-checks suggested package names against the canonical packages an LLM would otherwise hallucinate.