SKIP TO CONTENT
shaungehring.com
UPTIME 29Y 10M 12DLAT 35.2271°NLON 80.8431°W
SYS ONLINEMODE PUBLIC
/ HOME/ BLOG/ Software Development
#SOFTWARE DEVELOPMENTJUNE 24, 2026·5 min READPUBLISHED

Your AI Coding Agent Just Got Conned by a Package That Doesn't Exist Yet.

USENIX Security tested 16 models across 576,000 code samples and found that 34% of AI-suggested package dependencies don't exist in any registry. The model made them up — and attackers figured out you can register the hallucinations first.

SG
Shaun Gehring
PRINCIPAL · AI & SYSTEMS CONSULTING

Your AI Coding Agent Just Got Conned by a Package That Doesn't Exist Yet

USENIX Security tested 16 models across 576,000 code samples and found that 34% of AI-suggested package dependencies don't exist in any registry. The model made them up. Plausible names, real-looking syntax, completely fictional packages.

That used to be funny. It's not funny anymore. A North Korean APT group called Famous Chollima figured out the punchline first: if you can predict which packages an AI will hallucinate, you can register them yourself, with a payload inside. ReversingLabs is tracking an active campaign — dubbed PromptMink — that does exactly this, using what the report calls "LLM Optimization (LLMO) abuse and knowledge injection" to nudge AI coding agents toward malicious packages by name.

The defining attack of 2026 isn't a zero-day. It's a no-day — exploiting a vulnerability the model invents, in a package that doesn't exist until an attacker registers it.

Slopsquatting Kills the Old Defense

Typosquatting was the old version of this game. Somebody fat-fingers requets instead of requests, the attacker has registered requets, payload lands. The defense was easy: spell-check your imports, run a dependency scanner that knew the real package names.

Slopsquatting kills the defense. The dependency isn't a typo — it's a perfectly spelled, syntactically plausible name the model confidently generated, like express-mongoose (which doesn't exist; the model conflated two real packages) or pandas-utils (it just sounds like it should exist). Researchers found the hallucinations follow predictable patterns: 38% are conflations of two real packages, 13% are typo-shaped variants, and 51% are pure fabrications. The scary part is that the model can hallucinate the same fictional name across different sessions and different users.

Once that's true, an attacker doesn't need to compromise anything. They just have to figure out what names the popular models hallucinate, register them on npm, PyPI, or crates.io with a payload, and wait. The model keeps generating the same suggestion. Developers keep accepting it. The attacker never broke anything — they just got there first. PromptMink goes further with LLMO — the SEO of the AI-suggestion era: poison the public corpus with docs and blog posts referencing your malicious package, and future model versions "learn" it exists and start suggesting it organically. That's a training-data attack using public content as the delivery mechanism.

How Stupid the Defense Story Is Right Now

I want to be precise about this. Your dependency scanner can't help you. Tools like Snyk and Dependabot check what's in your manifest against known vulnerability databases. A hallucinated package the attacker registered three hours ago isn't in any database — so your scanner gives it a green check. It's "clean" because it's brand new. So is malware on day one.

Your reviewer can't help you. A second engineer reading the PR sees import @data-tools/csv-parser and thinks "yeah, reasonable." The name is well-formed. Most reviewers don't stop a PR to verify every dependency actually exists in the form the imports claim. Your AI reviewer especially can't help you — same training pedigree, same blind spots. The defense and the attack are drawing from the same well.

What actually helps, today: pin to hashes, not version ranges, so a payload can't be swapped in after the fact. Maintain an allowlist — anything outside your standardized dependency set is a hard-stop, not a soft warning. Add a "first time we've ever seen this package" signal to CI; it's the highest-signal, lowest-cost heuristic against slopsquatting there is. And get suspicious of dependencies introduced by AI commits, especially small utility packages with generic names — those are the easiest targets.

Code review used to ask "is this code correct?" Now it has to ask "does this code import anything that didn't exist a week ago, and how confident are we about the answer?"

A Vulnerability in the Way the Model Imagines the World

For two years the supply-chain conversation about AI was about the output — AI writes insecure code, brittle code. Real, worth fixing, and boring: it's an old problem we know how to address with testing and scanners.

Slopsquatting is different. It's a vulnerability in the way the model imagines the world. The model's confident hallucination of a package becomes the attack surface. We've never had a class of attacks that depend on the imagination of the artifact-generation tool before. There's no SAST rule for "your AI made this up," and no CVE, because the CVE database tracks vulnerabilities in real software — not in the latent space of a model.

And here's the part that should haunt every engineering leader: the attackers know which packages get hallucinated more often than the defenders do. Famous Chollima is reading the same papers we are, picking the highest-probability fabrications, and squatting them in industrial volume — effectively running an A/B test on which fake packages the popular models suggest most consistently. They'll keep doing it because it's cheap, quiet, and aligned with their existing playbook of robbing fintech dev shops to fund a sanctioned regime.

This is the one that makes me nervous about my own setup. I'm an EM in regulated finance. Half the tooling we evaluate ships with AI coding assistants on by default. The threat model I was briefed on assumes attackers compromise things that exist. The actual 2026 threat model is attackers getting ahead of things that don't exist yet, because they can read the model's mind. That's not in the framework. It will be soon — the question is whether it gets there before or after a regulated firm has to write a public disclosure about how a North Korean package wound up in production because an assistant suggested it and nobody checked the registry timestamp.

Sources: Slopsquatting: The AI Package Hallucination Attack Already Happening | Aikido · Supply-chain attacks take aim at your AI coding agents | CSO Online · Slopsquatting: When AI Agents Hallucinate Malicious Packages | Trend Micro · The Hallucinated Package Attack: Slopsquatting Explained | Mend.io

// CROSS_REFERENCE

Adjacent signals.

← ALL POSTS
Software Development
01
2026.06.20
Prompts Became Shells. Injection Stopped Being a Wrong-Answer Bug and Became Remote Code Execution.
On May 7, Microsoft's own security team published a finding with a title that should be taped to every agent developer's monitor: When prompts become shells. They found paths in Semantic Kernel where prompt injection escalated into host-level remote code execution.
READ
Security
02
2026.06.17
The New AI Executive Order Skipped the Rules and Built a Vulnerability Machine Instead
The June 2 AI executive order's operative clause is buried in the cybersecurity section: Treasury, with NSA and CISA, must stand up an AI Cybersecurity Clearinghouse in 30 days. That's not a rulebook. It's a national CVE machine.
READ
Security
03
2026.06.15
Your AI Agent Now Works While Your Laptop Is Off. Which Means It Was Never on Your Laptop.
Google's Gemini Spark works "even while your phone or laptop are turned off." The detail that matters isn't the autonomy — it's the location. It's a persistent cloud process holding your credentials, acting as you, 24/7.
READ