What category does Slopsquatting belong to?

Slopsquatting belongs to the "Software Development" category in personal knowledge management and productivity.

What are the key topics related to Slopsquatting?

Key topics related to Slopsquatting include: security, cybersecurity, supply-chain-attacks, ai, software-development.

Slopsquatting

A supply chain attack where attackers register package names that AI models tend to hallucinate, then wait for developers to install them

Category: Software Development

Tags: security, cybersecurity, supply-chain-attacks, ai, software-development

Explanation

Slopsquatting is a supply chain attack that exploits AI hallucinations in code generation. When developers ask large language models for help with code, the models sometimes confidently suggest nonexistent package names. Attackers register these hallucinated names on public registries like npm or PyPI, then wait for developers (or AI agents) to install the malicious packages.

The key insight is that LLM hallucinations are not random — they are statistically predictable. The same model will repeatedly hallucinate the same plausible-sounding package names across different sessions and users, making them reliable attack targets. A USENIX Security 2025 study tested 16 code-generation models across 576,000 code samples and found that roughly 20% recommended nonexistent packages, with 43% of hallucinated names being repeated consistently across 10 queries.

Slopsquatting is distinct from typosquatting in several important ways. While typosquatting relies on human typing errors, slopsquatting relies on machine error at scale. Hallucinated names often look completely different from real packages, bypassing registry similarity checks designed to catch typosquats. The rise of vibe coding and autonomous AI agents that install packages without human review has massively increased the attack surface.

Real-world examples include 'huggingface-cli', which was documented by Bar Lanyado of Lasso Security in 2024 as a package name that AI models repeatedly hallucinated. When registered as an empty package on PyPI, it received over 30,000 downloads in three months.

Mitigation strategies include verifying packages before installing (checking publisher identity, creation date, download history), restricting autonomous installation by AI agents and CI/CD pipelines, using lockfiles and pinned dependencies, and employing Software Composition Analysis (SCA) tools to scan dependency trees for suspicious packages.

Related Concepts

← Back to all concepts