A novel cyberattack vector is emerging in the software security landscape, exploiting hallucinations of large language models. Dubbed slopsquatting, a blend of 'AI slop' and 'typosquatting,' this threat targets the software supply chain by leveraging the trust developers place in AI coding assistants. As reliance on these tools grows, attackers find new ways to infiltrate development workflows from the very first line of code.
How Slopsquatting Works and Why It Is Dangerous
Slopsquatting exploits the tendency of LLMs to invent fictitious software package names. During an AI-assisted coding session, the model may suggest a non-existent open-source library. If a malicious actor registers that name in a public repository and populates it with malware, the harmful code gets directly incorporated into the developer's codebase. Unlike traditional typosquatting, which relies on misspellings of known packages and has existing protections, slopsquatting generates plausible yet entirely fabricated names, bypassing registry safeguards.
Sponsored Protocol
Persistent Hallucinations Amplify the Risk
LLM hallucinations are not rare events. One study analyzed over 31,000 vulnerabilities across 14,675 packages in 10 programming languages, finding a 98% annual increase in reported vulnerabilities, far outpacing the 25% growth in open-source package numbers. Moreover, the average lifespan of vulnerabilities rose by 85%, signaling declining security. When multiple models hallucinate the same package, large-scale compromise becomes possible, with malware remaining undetected for months or even years.
Why Language Models Hallucinate Software Packages
LLMs generate the most statistically likely answer, not the accurate one. Hallucination rates range from 50% to 82% depending on the model and prompting method. Even GPT-4o, the best-performing model, cannot drop below 23% despite mitigation techniques. Attackers can exploit this via token-level manipulation or retrieval poisoning, forcing models to recommend malicious packages.
Sponsored Protocol
Proprietary Models Are Safer Than Open-Source
Research shows that proprietary models are four times less likely to generate hallucinated packages than open-source ones. In a test across 30 systems, out of 576,000 code samples and 2.23 million packages generated, 19.7% were hallucinations. GPT-4.0 Turbo had a hallucination rate of 3.59%, while DeepSeek 1B, the best open-source model, reached 13.63%. Organizations using open-source AI tools for code generation are thus four times more exposed to slopsquatting.
Vibe Coding Expands the Attack Surface
Vibe coding refers to the practice of letting AI write code fluidly with minimal oversight. Developers estimate that over 40% of committed code includes AI assistance, and 72% of those who have tried AI tools use them daily. This surge without proper verification processes expands the attack surface for slopsquatting. It is essential to verify that recommended packages actually exist in official repositories before integration.
Sponsored Protocol
To counter this threat, security teams should implement automated checks that validate package names against known registries, monitor unusual package installations, and stay updated on emerging slopsquatting campaigns. Model transparency, as discussed in this article on Anthropic, is crucial for understanding and mitigating these risks. For further context, consult the Wikipedia page on typosquatting.