Slopsquatting Emerges as AI-Driven Supply Chain Threat
Slopsquatting exploits AI hallucinations to inject malware into development workflows, bypassing traditional typosquatting protections.

Slopsquatting represents an emerging supply chain threat made possible by AI hallucinations. As developers increasingly rely on AI coding assistants, they unknowingly grant cybercriminals access to their software from day one. Understanding what slopsquatting is Slopsquatting is a new type of supply chain attack that uses large language model (LLM) hallucinations to inject malicious code into development workflows.
The term combines "AI slop" and "typosquatting," a deceptive practice where attackers register misspelled or lookalike versions of popular domains to prey on users who enter URLs incorrectly. This novel attack vector exploits LLMs' tendency to generate fictitious software package names, which threat actors can then register and populate with malicious code. During AI-assisted coding, the model may generate fake open-source packages — bundled collections of files, programs and installation tools.
This alone is not necessarily harmful. However, if an attacker registers that fake package name, they can inject malware that gets incorporated directly into a developer's codebase. How AI creates a supply chain risk Traditionally, AI safety risks stem from hallucinations , which can adversely affect users who treat misinformation as valid.
However, those same hallucinations have evolved into exploitable security vulnerabilities. Typosquatting is a deceptive practice where a cybercriminal registers a mispelled version of a popular package to trick developers. It has existed for decades, so registries have built protections against it.
However, AI has changed the threat model . It recommends fictitious packages that sound plausible rather than making simple misspellings. Once attackers learn which hallucinated packages models tend to invent, they can register malware-filled packages under those names.
Since the hallucinated packages are not simply typoed versions of popular libraries, there are no protections against this practice at scale. For example, the registry protects against an attacker publishing "crossenv," a squat of the popular "cross-env" package. However, it would not identify "mpn install cross-env file" or "cross-env-extended" as threats.
Hallucinations are persistent and severe Even if many LLMs recommend the same hallucinated package, widespread compromise is still possible. Malicious packages could remain undetected in production for months or even years, allowing threat actors to passively inject malware across countless environments. One research team analyzed 31,267 vulnerabilities belonging to 14,675 packages across 10 programming languages.
They discovered that reported vulnerabilities are increasing at an annual rate of 98%, faster growth than the 25% annual increase in the number of open-source software packages. The team also observed an 85% increase in the average lifespan of vulnerabilities, indicating a decline in security. Real-world dangers of AI hallucinations Malicious actors can create open-access packages under the same name as commonly hallucinated libraries.
Source: VentureBeat