Skip to content
← Blog

Technical explainer

Slopsquatting: when AI hallucinations become real npm packages

Veln Security Research3 min read

Slopsquatting is the new typosquatting. Typosquatting bets that a developer mistypes lodash as lodahs. Slopsquatting bets that an AI assistant invents a package name that sounds plausible — lodash-utils-extra, framer-motion-tools, axios-retry-plus — and a developer accepts the suggestion without checking whether it exists.

The attacker doesn't need to wait for you to mistype. The AI does the imagining for them.

How it actually works

  1. Researchers (and attackers) prompt popular AI coding assistants with thousands of common queries. "How do I throttle React renders?" "What's a good library for image cropping in Next.js?"

  2. They log every package name the AI suggests in its responses.

  3. They filter for names that look plausible but don't exist on npm or PyPI.

  4. They register the popular ones with a payload.

  5. They wait. Eventually some developer prompts a similar question, gets the same hallucinated name, runs the install command without checking.

Researchers from Lasso Security, the University of Texas at San Antonio, and others have documented this end-to-end. Over 200 hallucinated package names have been identified across LLM outputs. A meaningful percentage get registered by adversaries within days of researchers publishing the lists.

Why AI hallucinates plausible names

The models that power modern AI coding assistants were trained on the open web. Their training data is full of:

  • Tutorials referring to packages that no longer exist
  • Blog posts written before a library was renamed
  • Stack Overflow answers mentioning packages that briefly existed and were yanked
  • Code comments referencing internal forks

The model learns that names of the form <thing>-<purpose> are a common shape. When you ask it for a library that does X, it generates a name matching that shape. Sometimes the name resolves to a real package. Sometimes it doesn't. And sometimes — because attackers are watching — the name resolves to a malicious package that an attacker registered yesterday.

Why this is harder to defend than typosquatting

Typosquatting has obvious tells: name distance from a popular package, weird character substitutions (lodaash, lodash-, 1odash). The defense is fuzzy-match against a canon list.

Slopsquatted names often don't look like typos of anything. They look like plausible new libraries. react-form-state could be a real package, or a hallucination, or a slopsquat. Distance-from-popular doesn't help here.

The signals that actually distinguish slopsquats from real packages:

  • Registration date. A package registered three days ago that an AI is suggesting as if it's well-established → suspicious.
  • Download count. Real packages have history. Slopsquats are days old.
  • Maintainer history. Real packages have a maintainer with other packages. Slopsquats are someone's first publish.
  • GitHub linkage. Real packages point at real repositories with real commit history. Slopsquats either have no repo link or link to a freshly-created one.
  • Cooling windows. Refuse to install anything younger than N days; most slopsquats are caught and unpublished within that window.

What stops it before it lands

A local gate that scores every package before the bytes reach disk can check all five of those signals automatically. If you paste a hallucinated name into your terminal, the gate refuses with a clear message: registered yesterday, no downloads, no GitHub, no maintainer history — looks like a slopsquat.

You retype with the right package name. You move on.

The honest bit

You're not going to start manually checking every package your AI assistant suggests. The whole point of AI assistance is that you don't. The defense has to be automatic, has to refuse the bad ones at the network layer, and has to be invisible the rest of the time. That's the shape of the fix — not "be more careful," not "read the code," not "you should have known." Something that runs in the background, every install, every time.

More in Technical explainer

Bring Veln to your team: open the Veln Console to create an organization and license, then install and activate the agent on the machines where you build.

Create a Console account