Supply Chain

Hallucinated packages: the AI coding risk nobody checks for

5 min read · VibeSafe Blog

Ask an AI for code and it will sometimes import a library that doesn't exist — a plausible name it invented. Attackers know this, and they're registering those names. This is slopsquatting, and it's the quietest risk in AI-built apps.

How the attack works

LLMs hallucinate package names that sound right — plausible variations of real library names, or entirely invented utilities. Researchers found the same fake names recur across many users' generations. So attackers register those names on npm and PyPI with malicious payloads. The next founder whose AI imports the name runs npm install — and executes attacker code with full access to their machine and secrets.

Why it beats normal defenses

Traditional vulnerability scanners check known packages against CVE databases. A slopsquatted package isn't a known package with a bug — it's a legitimate-looking upload doing exactly what its author intended. Nothing is "vulnerable"; everything is hostile.

The tell-tale signs

How to protect yourself

Scan your code free →

3 free scans every month · Your code is never stored

An honest note. VibeSafe helps catch the most common risks in AI-built apps quickly. It doesn't replace a professional security audit for high-risk applications.

Related: