Slopsquatting: When AI Agents Hallucinate Malicious Packages

By Sean Park (Principal Threat Researcher)

Key Takeaways

• Slopsquatting is a modern supply-chain threat in AI-powered workflows, where coding agents can hallucinate non-existent but plausible package names that malicious actors can use to deliver malware.
• Advanced coding agents and workflows such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI with MCP-backed validation help reduce—but not eliminate—the risk of phantom dependencies, as even real-time validation cannot catch every edge case.
• Common failure scenarios include context-gap filling and surface-form mimicry, where agents compose legitimate-sounding packages based on user intent or statistical conventions without robust real-world validation.
• Mitigating this threat requires a layered security approach, combining best practices such as provenance tracking (via Software Bills of Materials), automated vulnerability scanning, sandboxed installations, real-time package validation, and human oversight to secure AI-driven development pipelines.

Imagine this scenario: you’re working under a tight deadline, and you have your reliable AI coding assistant by your side, auto-completing functions, suggesting dependencies, and even firing off pip install commands on the fly. You’re deep in flow—some might call it vibe coding—where ideas turn into code almost effortlessly with the help of AI. It almost feels like magic—until it isn’t.

During our research, we observed an advanced agent confidently generating a perfectly plausible package name out of thin air, only to have the build crash with a “module not found” error moments later. Even more concerning, that phantom package might already exist on PyPI, registered by an adversary waiting to introduce malicious code into a developer’s workflow.

Figure 1. Agent hallucinating a non-existent package name—slopsquatting in action

For AI developers, these momentary glitches represent more than just an inconvenience; they’re a window into a new supply-chain threat. When agents hallucinate dependencies or install unverified packages, they create an opportunity for slopsquatting attacks, in which malicious actors pre-register those same hallucinated names on public registries.

In this entry, we’ll explore how these hallucinations occur in advanced agents, discuss their implications, and provide actionable guidance on how organizations can keep their development pipelines secure against these types of threats.

What is slopsquatting?

Slopsquatting is an evolution of the classic typosquatting attack. Rather than relying on human typographical errors however, attackers exploit AI-generated hallucinations instead. When a coding agent hallucinates a dependency—such as starlette-reverse-proxy—an attacker can publish a malicious package under that exact name. Developers who unwittingly run the generated installation commands may inadvertently download and execute malware.

Harnessing advanced agentic capabilities

While raw large language models (LLMs) can generate plausible-looking package names, they lack built-in validation mechanisms. In contrast, advanced coding agents incorporate additional reasoning and tool integrations to catch hallucinations before they can slip into the code. The next sections explores some of key agentic capabilities offered by some of the latest coding agents.

Anthropic: Claude Code CLI

Extended thinking with tool use

Claude Code CLI dynamically interleaves internal reasoning with external tools—such as live web searches and documentation lookups—to verify package availability as part of its generation pipeline. This “extended thinking” approach ensures that suggested package names are based on real-time evidence rather than statistics alone.

Figure 2. Claude Code CLI autonomously invoking a web search to validate a package

Codebase memory

A multi-tiered memory system allows the agent to recall prior verifications and project-specific conventions, enabling it to cross-reference of earlier dependency checks before recommending new imports.

OpenAI: Codex CLI

Automated testing and debugging

Codex CLI generates and executes test cases iteratively, using import failures and test errors as feedback to prune non-existent libraries from its suggestions.

Codebase awareness and introspection

By inspecting the existing codebase—parsing imports, analyzing project structure, and referencing local documentation—Codex ensures that package recommendations are contextually grounded in the specific application rather than relying solely on language priors.

Cursor AI: MCP-Backed Validation

For Cursor AI, we utilized multiple Model Context Protocol (MCP) servers for real-time validation of each candidate dependency:

• Context7: Provides version-specific and up-to-date API documentation with examples
• Sequential Thinking: Facilitates problem-solving through task decomposition
• Custom Tavily Search: Delivers real-time web search capabilities

Figure 3. Cursor AI’s MCP pipeline validating dependencies against live registries

Comparative hallucination analysis

To assess how different AI paradigms manage phantom dependencies, we compared hallucinated package counts across 100 realistic web-development tasks for three classes of models. Given the challenge of automating tests across various coding agents and Cursor AI, we manually executed the ten tasks that exhibited the highest hallucination rates in foundation models, recorded each hallucination, and compiled the results.

These are visualized in Figure 4, which charts the number of fabricated package names (0–6) proposed by each model for every task. The full dataset is available on GitHub.

Figure 4. The number of hallucinated packages identified t for each model and question is visualized on a scale of 0 to 6. For instance, 4 indicates that four hallucinated package names were identified for the corresponding model and question.

Foundation models

Across the 100 tasks, foundation models predominantly produced zero-hallucination outputs. However, they exhibited occasional spikes of two to four invented names when prompted to bundle multiple novel libraries.

These spikes, clustered around high-complexity prompts, reflect the model’s tendency to splice familiar morphemes (e.g. “graph” + “orm”, “wave” + “socket”) into plausible-sounding yet non-existent package names when their training data lacks up-to-date grounding.

Coding agents

By incorporating chain-of-thought reasoning and live web-search integrations, advanced coding agents are able to reduce the hallucination rate by approximately half. Nonetheless, occasional spikes persist on the same high-complexity prompts, albeit limited to one or two phantom names. Common error modes include:

• Context-gap filling
  Agents compose semantically relevant morphemes to satisfy intent (e.g., “use WebSocket, ORM, serverless”) even in the absence of exact matches.
• Surface-form mimicry
  Agents rely on statistical naming conventions without validation against a live index. This results in “near-miss” strings that follow common naming conventions (such as prefixes like opentelemetry-instrumentation-, or suffixes like -requirements), reflecting statistical patterns rather than real inventory.

Cursor AI with MCP-backed vibe coding

Enhancing the vibe-coding workflow with three live MCP servers yields the lowest hallucination counts. Real-time validation effectively filters out most hallucinations other coding agents exhibit — however, in edge cases where no registry entry exists, a small number of hallucinated names may still persist.

• Cross-ecosystem “name borrowing”
  Vibe Coding aggregates search snippets and GitHub READMEs from multiple language communities. When a term exists in, for example, the JavaScript ecosystem (e.g. an npm plugin named serverless-python-requirements) or a vendor’s documentation, the agent repurposes it for a Python context without checking PyPI, resulting in packages that sound valid but are actually specific to another environment.
• Morpheme-splicing heuristics
  If no direct match is found, Cursor AI stitches together descriptive tokens it has previously encountered as a pair (e.g. graphit + orm or morpher) to fill semantic slots (such as “graph database ORM,” or “data transformer”). The result is statistically convincing yet entirely imaginary.

Conclusion and recommendations

This research demonstrates that package hallucinations remain a tangible supply-chain threat across all AI coding paradigms. Foundation models frequently generate plausible-sounding dependencies when tasked with bundling multiple libraries. While reasoning-enhanced agents can reduce the rate of phantom suggestions by approximately half, they do not eliminate them entirely. Even the vibe-coding workflow augmented with live MCP validations achieves the lowest rates of slip-through, but still misses edge cases.

Importantly, relying on simple PyPI lookups offers a false sense of security, as malicious actors can pre-register hallucinated names, and even legitimate packages themselves might contain unpatched vulnerabilities. When dependency resolution is treated as a rigorous, auditable workflow rather than a simple convenience, organizations can significantly shrink the attack window for slopsquatting and other related supply-chain exploits.

Recommendations

• Provenance tracking with Software Bills of Materials (SBOMs)
  Generate and cryptographically sign SBOMs for every build, ensuring each dependency’s origin and version are auditable.
• Automated vulnerability scanning
  Integrate tools such as Safety command line interface (CLI) or OWASP dep-scan into the CI/CD pipeline to detect known CVEs in both new and existing packages before promotion.
• Isolated installation environments
  Execute all AI-generated pip install commands inside transient Docker containers or ephemeral virtual machines (VMs). Promote only those artifacts that pass sandbox validation into production.
• Prompt-driven validation loops
  Design AI prompts to include inline existence checks (e.g., pip index versions ) and require real-time lookups before finalizing code output.
• Developer training and policies
  Educate engineering teams on slopsquatting risks and enforce policies mandating dependency vetting, signature verification, and routine incident-response drills.

When automatic package installs are unavoidable, enforce strict sandbox controls to mitigate potential threats:

• Containerized sandboxing
  Run AI-suggested installations within disposable containers or lightweight VMs to isolate and contain host compromise.
• Managed cloud sandboxes
  Use hosted runtimes with enforced network and resource restrictions, which are configured to auto-destroy environments after each session.
• Per-run environment reset
  Reset the sandbox state between executions to eliminate the persistence of malicious artifacts.
• Outbound network restrictions
  Whitelist only approved registries and block unauthorized egress to thwart command-and-control (C&C) channels.
• Pre-execution vulnerability scanning
  Scan proposed dependency lists for high-severity CVEs, and flag or block any risky packages before installation.
• Auditing, logging & monitoring
  Capture detailed logs of installation commands, file operations, and network calls; deploy runtime monitors to detect anomalous behavior and trigger automatic teardowns or alerts.
• Human-in-the-Loop approval
  Require the manual review of new or unfamiliar packages to balance automation with security oversight.
• Immutable base images and policy updates
  Start each sandbox from a clean, version-pinned base image, and continuously update security policies, base images, and firewall rules to stay ahead of emerging threats.