AI coding assistants are conjuring imaginary friends in your software projects. These hallucinated dependencies don’t actually exist—until hackers create them, turning your AI-generated code into a ticking time bomb. Security researchers have discovered that large language models routinely fabricate non-existent package names when suggesting code, unwittingly opening doors to a new type of supply chain attack.
This phenomenon, dubbed slopsquatting by security researcher Seth Larson, represents a disturbing evolution of the familiar typosquatting attack. But instead of relying on developers making typos, attackers can now predict which fake packages AI will hallucinate and register them preemptively as malicious traps.
When AI Gets Sloppy With Your Supply Chain
Here’s the nightmare scenario: you ask an AI coding assistant to help implement a specific feature. It confidently suggests code that imports a package that seems legitimate but doesn’t actually exist in any repository. When you attempt to install this fictional dependency, you’re either met with an error—or worse, you unknowingly download a malicious package that an attacker created specifically to exploit this vulnerability.
Researchers from open-source cybersecurity company Socket warn that these hallucinated package names aren’t random—they’re common, repeatable, and semantically plausible. This creates a predictable attack surface that can be weaponized with frightening efficiency.
Think of it as AI accidentally writing ransom notes with real addresses. It’s only a matter of time before someone checks those addresses and plants something nasty.
The Biological LLMs Avoid Issue
Human developers (or biological LLMs as some Redditors call them) traditionally avoid this issue through experience and verification. We check documentation, consult package registries, and rely on development environment feedback to confirm dependencies actually exist.
AI-generated code dependencies bypass these guardrails through a perfect storm of believability. When GitHub Copilot or ChatGPT suggests code with an import statement for something like “securitytool” that looks legitimate, even experienced developers might assume it’s a real package they simply haven’t encountered before.
This creates what security experts describe as a sophisticated attack vector—one that exploits the growing trust in AI coding assistants while targeting the weakest link in the software supply chain: third-party dependencies.
Backdoors That Spawn a Thousand Nightmares
The danger extends beyond initial compromise. Once a poisoned dependency enters your codebase, it can spawn cascading vulnerabilities through what researchers call persistent compromise. These backdoors can infect future AI-generated code and spread through repository forks, creating a nightmare scenario for security teams.
Some attacks employ semantic hijacking—subtle manipulations that mislead AI models into producing insecure code that bypasses security best practices. This technique leverages the pattern-matching nature of language models to inject vulnerabilities that look legitimate even to trained eyes.
Tools like CodeGate, a new open-source project from Stacklok, offer some protection by automatically scanning for malicious or deprecated dependencies. This type of defense is increasingly critical as the line between hallucinated code and legitimate packages blurs.
Protecting Your Codebase From Imaginary Threats
The most effective defense remains vigilant verification. Before implementing any AI-generated code, verify all dependencies exist in official repositories. This simple practice can prevent most slopsquatting attacks before they begin.
For organizations, establishing clear governance around AI coding tools helps mitigate risk. This includes defining approved repositories, requiring peer reviews of AI-generated code, and implementing automated dependency scanning in continuous integration pipelines.
The issue highlights a central paradox in today’s development landscape: tools designed to accelerate productivity can introduce entirely new categories of risk. As noted in HeckNews’s coverage of Meta’s AI training controversy, the rush to deploy AI systems often outpaces proper evaluation of their limitations and vulnerabilities.
Security experts predict slopsquatting will eventually join other established attack vectors like those that have compromised government systems. The challenge isn’t whether attacks will happen, but how effectively the development community adapts its security practices to address this novel threat.
As AI coding assistants become increasingly integrated into development workflows, the responsibility falls on both tool creators and users to implement safeguards against these hallucinated vulnerabilities. The most dangerous dependencies might be the ones that don’t exist—until someone malicious makes them real.