Supply Chain
Hallucinated packages: the AI coding risk nobody checks for
Ask an AI for code and it will sometimes import a library that doesn't exist — a plausible name it invented. Attackers know this, and they're registering those names. This is slopsquatting, and it's the quietest risk in AI-built apps.
How the attack works
LLMs hallucinate package names that sound right — plausible variations of real library names, or entirely invented utilities. Researchers found the same fake names recur across many users' generations. So attackers register those names on npm and PyPI with malicious payloads. The next founder whose AI imports the name runs npm install — and executes attacker code with full access to their machine and secrets.
Why it beats normal defenses
Traditional vulnerability scanners check known packages against CVE databases. A slopsquatted package isn't a known package with a bug — it's a legitimate-looking upload doing exactly what its author intended. Nothing is "vulnerable"; everything is hostile.
The tell-tale signs
- Package published very recently, with few downloads
- Name suspiciously close to a popular library
- No repository link, empty README, single maintainer
- Install scripts (
postinstall) doing network calls
How to protect yourself
- Before installing anything an AI suggested, look it up on npm/PyPI — does it exist, is it established?
- Prefer packages you've heard of; treat novel names in generated code as unverified
- Commit lockfiles so installs are reproducible
- Scan generated code — VibeSafe flags imports that don't match known registries
3 free scans every month · Your code is never stored
Related: