Slopsquatting: How AI Coding Agents Turn Package Hallucinations Into Supply Chain Attacks

Across 576,000 code samples generated by 16 AI models, researchers found that roughly 1 in 5 package recommendations referenced packages that do not exist. A technique called slopsquatting — attackers pre-registering the names AI models reliably hallucinate — turns that hallucination rate into a live supply chain attack vector. If your PR process does not include a dependency origin check, you have a gap that none of your standard code review tools are closing.

From Hallucination to Attack

When AI coding agents generate import statements and dependency declarations, they draw on training data — not a live view of any package registry. A 2025 peer-reviewed analysis of package hallucination behavior across 16 LLMs identified three categories of fictional reference:

• Pure fabrications (51%) — names with no real-world basis in any registry

• Conflations (38%) — hybrid combinations of real package names fused into a non-existent identifier

• Near-miss typos (13%) — slight misspellings of legitimate packages

Hallucination rates vary significantly by model type:

A 2025 Trend Micro analysis confirmed that 43% of hallucinated package names recur consistently across separate queries to the same model. That predictability is what makes slopsquatting viable: adversaries identify which names a model reliably produces, then register those names on PyPI or npm before your developers run npm install.

Sonatype's 2026 State of Software Supply Chain research puts numbers on the scope: 27.75% of AI-generated dependency upgrade recommendations across 36,870 enterprise scenarios referenced versions that do not exist. More than 10,000 phantom package versions appeared in that single dataset — each one a potential slot for a squatted malicious upload.

Why Standard Code Review Misses This

A hallucinated import is syntactically clean. It does not trigger a lint error, a type error, or a test failure — the error surfaces at install time or at runtime, long after the PR has merged. A diff showing import fastapi-helpers (a fabricated name) is visually indistinguishable from any legitimate dependency addition. Nothing in a standard code review flow raises a flag.

Standard PR checklists focus on logic correctness, test coverage, and secrets exposure. None of the common templates prompt a reviewer to verify whether a newly introduced package actually exists in its registry, has an active maintainer, or was published in the last 48 hours. The risk is invisible to human reviewers and invisible to static analysis tooling that validates syntax rather than dependency provenance.

Three Checks to Add to Your PR Merge Gate

1. Registry existence check before install. Before npm install or pip install, verify the package exists and has credible history. npm view <package-name> and the PyPI JSON API (pypi.org/pypi/<package>/json) return creation date, download counts, and maintainer records. A package created in the last week with no downloads and no linked source repository should be blocked from installation.

2. Lockfile enforcement in CI. Require npm ci instead of npm install in all CI pipelines. This enforces exact resolution against the committed lockfile rather than re-resolving from package.json. If a developer installed a squatted package locally, the resolved SHA is present in the lockfile diff — making the poisoned dependency visible during code review, before it reaches production.

3. Dependency origin validation as a required status check. Add a CI gate that verifies each new package introduced in the PR exists in its registry, has a publication history older than 72 hours, and carries a valid maintainer record. This check must run before merge approval — not as a post-deploy scan — so that hallucinated packages are blocked at insertion, not discovered after a production incident.

The deeper fix is grounding AI generation against live registry data rather than training snapshots. Sonatype's research demonstrated that querying current repository state in real time reduced AI hallucination of dependency recommendations to zero percent across the same 36,870-scenario dataset. The risk is not inherent to AI coding agents — it is inherent to AI coding agents operating without registry grounding.

Closing that gap means enforcing dependency origin checks on every AI-generated PR — not as a manual review step, but as an automated gate. re-entry.ai scores AI-generated pull requests against configurable risk policies — including package provenance checks — before they reach your merge queue. Request a demo to see what your current PR pipeline is missing.