Slopsquatting.

A 2024-coined supply-chain attack where adversaries register package names that LLM code assistants frequently hallucinate, so developers who copy-paste the suggested install command end up pulling malicious code. It belongs to the AI & ML Security category of cybersecurity.

A 2024-coined supply-chain attack where adversaries register package names that LLM code assistants frequently hallucinate, so developers who copy-paste the suggested install command end up pulling malicious code.

Slopsquatting is a software supply-chain attack discovered as LLM-driven coding assistants became mainstream. Researchers documented that models consistently invent plausible-but-nonexistent package names — for example a Python pandas helper, a Node logging library, or a Rust crate that sounds right but has never been published. Attackers register those hallucinated names on the relevant package registry (PyPI, npm, crates.io) with malicious payloads; when a developer follows the AI's suggested `pip install` or `npm install` command, the attacker's code runs in their build environment. The name 'slopsquatting' fuses 'AI slop' with typosquatting. Because the same hallucination tends to repeat across users and even across model versions, a single squatted name can harvest many victims over weeks. Defenses include human verification of every external dependency, deterministic lockfiles, allowlisted registries or proxy registries that block recently-registered packages, and IDE plugins that flag packages the assistant suggested but a curated registry hasn't seen.

Defences for Slopsquatting typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: AI package hallucination attack, LLM package squatting.