Package Hallucination and Slopsquatting
By Satwik ยท June 28, 2026
Code-generating models sometimes invent dependencies that do not exist, suggesting an "import" of a package name the model fabricated. Research surfacing prominently in 2023 and 2024 found that these hallucinated package names are not random noise; models tend to hallucinate the same plausible-sounding names repeatedly and consistently. That predictability creates an attack: an adversary registers the hallucinated name on a public registry such as PyPI or npm, and waits. When a developer copies AI-generated code that imports it and runs an install, they pull the attacker's malicious package. Researcher Seth Larson and others popularized the term "slopsquatting" for this AI-driven twist on typosquatting.
Why it matters: it turns a model's confident wrongness into a software-supply-chain compromise. Unlike typosquatting, which relies on human typos, slopsquatting relies on the model's systematic errors, which can be measured and pre-registered by attackers in advance. As AI-assisted coding scales, so does the fraction of installs that trace back to a model's suggestion rather than a human's deliberate choice.
The defensive lesson is to verify every dependency an assistant proposes. Do not install a package merely because generated code references it; confirm it exists, is the intended project, has a credible history, and matches a known-good source. Use lockfiles, dependency allowlists, and internal mirrors, and treat AI-suggested imports as untrusted input to review, not as trusted instructions to execute. Provenance checks belong in the loop between generation and installation.