Slopsquatting: The AI Package Hallucination Attack You're Probably Not Defending Against

I was doing my TryHackMe training this morning, working through the OWASP LLM Top 10 for 2025, when I hit LLM09:2025 — Misinformation. I thought I had this one covered with Sentinel, my AI security proxy. Misinformation detection, hallucination flagging — I'd mapped all of it. Then I went deeper and hit something I hadn't explicitly named: package hallucination. I'd seen it happen. I'd caught it myself because I know PyPI well enough to recognize when a package name smells wrong. But if I hadn't? I'd have installed someone else's malware. This is the attack the security community has started calling slopsquatting, and it's live in the wild right now. What OWASP LLM09:2025 Actually Says LLM09 covers the risk of AI-generated content that is factually incorrect, misleading, or fabricated — and the downstream consequences when people or systems act on it without verification. Most people read this as: "the AI made up a fact." The real threat surface is much wider. LLMs don't just hallucinate facts. They hallucinate code, APIs, configurations, and package names. When those hallucinations get trusted and executed, the consequences aren't just wrong answers — they're exploitable attack vectors. Package hallucination is one of the most dangerous expressions of LLM09 because: The hallucinated output looks completely plausible Developers have been trained to trust and execute install commands without much scrutiny Attackers have already automated the process of finding and registering the names LLMs hallucinate most consistently The Attack Chain: Slopsquatting The name was coined by Seth Larson of the Python Software Foundation in April 2025. Slop as in low-quality AI output. Squatting as in claiming a name for hostile purposes. Here's how it works: Step 1 — The Hallucination A developer asks an LLM to help connect a Python app to a less-common API. The model doesn't have a clean answer, but it doesn't say that. Instead, it pattern-matches from its training data: "You can use pip install starlette-reverse-proxy for this." The package name is plausible. It follows the naming conventions of the Starlette ecosystem perfectly. The developer has no reason to doubt it. Step 2 — The Squatting Attackers have already run thousands of prompts against popular models, harvested the package names that appear consistently across runs, and registered them on PyPI or npm. A 2025 USENIX Security paper found that 43% of hallucinated package names reappear on every single run of the same prompt. The hallucinations aren't random — they're targetable and predictable. Step 3 — The Infection pip install starlette-reverse-proxy # Running setup.py install... # [your credentials are already gone] The post-install script executes. Environment variables, API keys, AWS tokens, SSH keys — anything sitting in the shell environment gets exfiltrated. Some packages skip the malicious code entirely and use pip's support for URL-based dependencies to fetch the payload from an external server at install time, keeping the package itself clean for scanners. Step 4 — Scale The researcher Bar Lanyado registered huggingface-cli as an empty test package after watching GPT consistently recommend it. Within three months: 30,000 downloads. Alibaba copy-pasted the fake install command directly into their own public documentation. The hallucination cascades downstream before anyone catches it. Why This Is Harder to Catch Than It Looks Your first instinct might be: just verify the package exists before installing it. That's necessary, but not sufficient. Here's why: Download count is not a reliable signal. Malicious packages accumulate real downloads — both from victims and from the attacker's own bots inflating the count to pass automated checks. The cross-ecosystem confusion attack is subtle. Nearly 9% of Python package names hallucinated by models turn out to be valid JavaScript packages. LLMs trained on multi-language data bleed recommendations across ecosystems. A real npm package suggested for a Python project sounds completely legitimate. Attackers move fast. They've automated both the hallucination harvesting and the registration. By the time a name starts appearing in developer searches or Stack Overflow answers, it may already be squatted. Agentic pipelines have no human in the loop. When your AI coding agent or CI pipeline can autonomously run pip install, the verification step a human would normally perform is simply absent. Where Sentinel Sits in This Problem Sentinel is an AI security proxy — it sits between your application and the LLM, analyzing both what goes in and what comes out. It already handles prompt injection detection, content neutralization, and several other LLM09-adjacent threats through a multi-tier detection pipeline. The slopsquatting vector is interesting because it's a response-side problem. The attack doesn't live in the prompt — it lives in the LLM's output, in the form of an install command that looks completely legitimate. Sentinel is already in the response path. That's the structural advantage. The question was: what does it check against? That's what I built this morning. Introducing SlopScan SlopScan is a lightweight FastAPI micro-service that scores AI-suggested packages for trustworthiness before they get installed. It's free, open source (Apache 2.0), and designed to be queried by AI agents, proxy layers like Sentinel, or directly from CI pipelines. How the Scoring Works Every package check runs four signals, weighted into a single trust score (0–100): Signal Weight What it catches Package age 30% Packages registered last week have near-zero score Download count 25% Real packages have real usage histories Version count 15% One release = no maintenance history Maintainer age 15% Brand new publisher account = red flag Cross-ecosystem hit 15% Real npm package suggested for Python? Flag it. Risk levels: SAFE (≥75) | CAUTION (≥50) | SUSPICIOUS (≥25) | DANGEROUS (<25) Try It Locally in Two Minutes git clone https://github.com/c0ri/SlopScan.git cd SlopScan pip install -r requirements.txt uvicorn main:app --host 0.0.0.0 --port 8765 --reload Single Package Check curl http://localhost:8765/check/pypi/requests { "package": "requests", "ecosystem": "pypi", "found": true, "trust_score": 97, "risk": "SAFE", "flags": [], "metadata": { "age_days": 5200, "version_count": 48, "author": "Kenneth Reitz" } } Now the hallucinated one from the Trend Micro research: curl http://localhost:8765/check/pypi/starlette-reverse-proxy { "package": "starlette-reverse-proxy", "ecosystem": "pypi", "found": false, "trust_score": 0, "risk": "DANGEROUS", "flags": ["Package does not exist in registry — likely hallucinated"] } Batch Check Perfect for scanning a full requirements.txt or a set of agent-generated dependencies: curl -X POST http://localhost:8765/check/batch \ -H "Content-Type: application/json" \ -d '{ "packages": [ {"ecosystem": "pypi", "name": "requests"}, {"ecosystem": "npm", "name": "lodash"}, {"ecosystem": "pypi", "name": "starlette-reverse-proxy"} ] }' { "results": [...], "summary": { "total": 3, "safe": 2, "caution": 0, "suspicious": 0, "dangerous": 1 } } Wiring It Into Sentinel (or Your Own Proxy) import re import httpx INSTALL_PATTERN = re.compile( r'pip install ([a-zA-Z0-9_\-\.]+)|' r'npm install ([@a-zA-Z0-9_\-\/\.]+)|' r'import ([a-zA-Z0-9_]+)|' r'require\([\'"]([a-zA-Z0-9_\-@\/]+)[\'"]\)' ) async def check_llm_response(response_text: str): packages = extract_packages(response_text) # regex over INSTALL_PATTERN async with httpx.AsyncClient() as client: for pkg in packages: result = await client.get( f"http://slopscan:8765/check/{pkg.ecosystem}/{pkg.name}" ) score = result.json() if score["risk"] in ("SUSPICIOUS", "DANGEROUS"): # Flag in Sentinel, block agentic install, alert the user sentinel.flag( response_text, reason=f"Slopsquatting risk detected: {pkg.name}", details=score ) What's Next for SlopScan This is v0.1 — functional, tested against live registries, and ready to be useful right now. The roadmap has clear targets for where community contributions can take it: Tier 3 — Hallucination fingerprint database: systematically prompt popular models, harvest the names that appear consistently, build a known-bad blocklist. The 43% repeatability stat makes this highly effective. Real download counts via pypistats.org and the npm downloads API (current version uses estimates) GitHub signal integration: stars, last commit date, organization ownership — hard signals that legitimate packages have and squatters don't Additional ecosystems: crates.io, RubyGems, NuGet — each is ~30 lines following the same fetcher pattern Redis cache backend for multi-instance deployments Docker image on Docker Hub The Bigger Picture Slopsquatting sits at the intersection of two trends that aren't going away: AI coding assistants getting more autonomous, and the software supply chain remaining a high-value attack surface. The numbers are stark. Around 20% of AI-generated code references packages that don't exist. Attackers have automated the harvesting of those names. The huggingface-cli experiment showed 30,000 downloads for an empty package registered by a researcher — imagine what a motivated attacker does with the same playbook. The defense doesn't require abandoning AI-assisted development. It requires treating autonomous package installation as a privileged operation and adding a verification step where humans are no longer in the loop to provide one naturally. SlopScan is one piece of that. Sentinel is the broader layer. Both are free to use, and SlopScan is free to contribute to. If you build on it, find a bug, or want to add an ecosystem — PRs are open. → github.com/c0ri/SlopScan Cori is a network architect and IT Solutions Architect with 30+ years of automation and security experience. He is the founder of Skyblue and the creator of Sentinel-Proxy AI Firewall, an AI security proxy.

Read full story →