Rescana Cybersecurity Intelligence Report

AI Hallucinated Code Dependencies: The Emerging Supply Chain Risk of "Slopsquatting"

Prepared by: Rescana OSINT Cybersecurity Research Team

Executive Summary

A new supply chain attack vector, termed slopsquatting, is emerging as a direct consequence of the increasing use of generative AI tools for software development. This attack leverages the tendency of large language models (LLMs) to "hallucinate" (i.e., generate but invent) non-existent package names in code recommendations. Malicious actors can weaponize these hallucinated dependencies by publishing malicious packages with these names on repositories such as PyPI and npm, targeting developers who blindly copy AI-generated code.

Key Findings

1. Slopsquatting: Definition and Mechanism

• Term Origin: Coined by security researcher Seth Larson, slopsquatting is a variant of typosquatting. While typosquatting abuses typographical errors, slopsquatting exploits plausible but non-existent package names generated by AIs.
• Attack Vector: Threat actors register packages with names commonly hallucinated by LLMs. When developers use AI-generated code and install these dependencies, they may unknowingly import malicious code.

2. Research and Data

• Study Reference:arxiv.org Package Hallucination Study (March 2025, referenced in BleepingComputer)
  • Scope: 576,000 generated Python and JavaScript code samples from LLMs.
  • Findings: ~20% of recommended packages didn’t exist.
  • LLMs Tested: Open-source (CodeLlama, DeepSeek, WizardCoder, Mistral) hallucinated more than commercial models (e.g., ChatGPT-4 at 5%).
  • Unique Hallucinated Names: Over 200,000, with 43% repeated across similar prompts and 58% recurring in at least 10 runs.
  • Nature of Names: 38% inspired by real packages, 13% due to typos, 51% completely fabricated.
  • Repeatability: Hallucinated names are not random and are often consistent, making it easier for attackers to identify and target.

3. Current Threat Landscape

• Exploitation in the Wild:
  • As of April 2025: No confirmed cases of slopsquatting exploitation reported in the wild.
  • Researcher Warning: Security firm Socket highlights the high potential and predictability of this attack surface.
• APT and Threat Actor Activity:
  • No direct attribution of slopsquatting to known APT groups yet. However, supply chain attacks are a favored vector for groups such as Lazarus Group (APT38, Kimsuky), who have previously abused npm and PyPI for malicious campaigns (see Lazarus npm attack reference, BleepingComputer).

4. Technical Analysis

• Threat Model:

  1. Developer prompts AI/LLM for code.
  2. AI recommends code with a non-existent (hallucinated) dependency.
  3. Attacker registers this dependency name with malicious code on a package index.
  4. Developer installs the package, leading to compromise.

• Related MITRE ATT&CK Techniques:

  • T1195 – Supply Chain Compromise
  • T1554 – Compromise Software Supply Chain
  • T1059 – Command and Scripting Interpreter (if malicious package executes code)
  • T1071 – Application Layer Protocol (for exfiltration via malicious dependency)

• Potential IOCs:

  • Names of hallucinated packages (refer to research for sample lists).
  • Unusual new packages appearing on PyPI/npm with no prior history, especially those not referenced in official documentation or repositories.

Recommendations (Based on Scraped Data)

• Manual Verification: Always verify the existence and reputation of any package name suggested by AI before installation.
• Dependency Management:
  • Use dependency scanners, lockfiles, and hash verification to pin packages to known, trusted versions.
  • Cross-check package creation dates and download counts; be suspicious of new packages with generic or plausible names.
• AI Configuration:
  • Lower the "temperature" (randomness) of LLMs during code generation to reduce the likelihood of hallucinations.
• Testing:
  • Test AI-generated code in isolated, sandboxed environments prior to deployment.
• Community/Vendor Action:
  • Package repositories are encouraged to monitor and potentially blacklist names matching known hallucinated dependencies, as suggested by community feedback.

References

• Primary Article:
  • AI-hallucinated code dependencies become new supply chain risk (BleepingComputer, Apr 2025)
• Research Paper:
  • arxiv.org: Hallucinated Dependencies in LLM Code Generation (2025)
• Related Exploit Examples:
  • North Korean Lazarus hackers infect hundreds via npm packages
• Socket Security Analysis:
  • Socket Blog: AI Hallucinated Packages
• MITRE ATT&CK
  • T1195 – Supply Chain Compromise
  • T1554 – Compromise Software Supply Chain
  • T1059 – Command and Scripting Interpreter
  • T1071 – Application Layer Protocol

Conclusion

The AI-driven software supply chain is exposed to new risks through the predictable hallucination of dependency names by LLMs. While widespread exploitation has not yet been observed, the attack surface is real and actionable. Vigilance, manual verification, and strong dependency management are critical for organizations leveraging AI-driven development workflows.

Rescana is here for you

Rescana’s Third Party Risk Management (TPRM) platform is designed to help organizations identify and mitigate supply chain risks, including those arising from new and evolving attack vectors such as slopsquatting. We provide comprehensive visibility into your software supply chain, monitor for emerging threats, and enable proactive risk management across your vendor and dependency ecosystem.

If you have questions regarding this report—or need guidance on AI-driven supply chain risks, threat intelligence, or general cyber risk management—please contact our team at ops at rescana.com. Our specialists are available to provide tailored insights and technical support for your security needs.