Blog

Technical Blog

AI Tools Are Hallucinating Software Dependencies – And Cybercriminals Are Taking Advantage

Information generated code AI code pilot

The growing integration of large language models (LLMs) into software development is transforming how code is written. AI-powered coding assistants, such as GitHub Copilot and similar tools, are now widely used to accelerate programming tasks. However, alongside these benefits comes a mounting concern: LLMs frequently hallucinate software dependencies, posing serious risks to the integrity of the software supply chain.

These hallucinations occur when an AI tool suggests the use of a software package or dependency that doesn’t actually exist. While this might initially seem like a harmless error that simply leads to an installation failure, the reality is far more concerning. Malicious actors have identified an opportunity to exploit these non-existent packages by registering them on public package repositories like PyPI or npm. This tactic enables attackers to spread malware under the guise of legitimate-looking software.

Once uploaded, these fake packages are ready to be pulled into projects by unsuspecting developers. Since LLMs often regenerate the same hallucinated names under similar prompts, attackers can rely on repeated exposure. Research shows that 43% of hallucinated packages were consistently suggested in repeated prompt sessions, which gives attackers a stable vector for injecting malicious software into developer workflows.

This tactic resembles typosquatting, a well-known strategy in which attackers create malicious packages with names that are slight variations of popular ones. In this new AI-driven variant, dubbed "slopsquatting" by security experts, the fabricated package names originate from the AI itself — effectively creating new vulnerabilities that didn't previously exist.

Security researchers have been raising awareness of this issue for over a year. Recent studies comparing commercial and open-source AI models found that while commercial models hallucinate packages about 5% of the time, open-source models do so nearly 22% of the time. The higher error rate with open models reflects both a lack of curation and the broader challenges of AI-generated content in software development.

The danger is compounded by the way developers interact with these AI tools. Instead of verifying code suggestions, many simply copy and paste recommendations or allow AI agents to automatically install dependencies. This practice, sometimes referred to as “vibe coding,” reflects a shift toward faster but potentially riskier software development. Fake packages are often made to appear trustworthy, featuring convincing READMEs, imitation GitHub repositories, and even AI-generated blogs that reinforce their legitimacy.

To make matters worse, other AI systems can unknowingly validate these malicious packages. For instance, Google’s AI-generated search summaries have at times described slopsquatted packages as stable and well-maintained, simply by repeating information from the package's README. Such misrepresentation can easily mislead developers in a rush.

The issue isn’t purely theoretical. Earlier this year, a malicious npm package, @async-mutex/mutex, impersonated the legitimate async-mutex package. This package was even promoted by an AI-powered Google search result. Additionally, a cybercriminal using the alias "_Iain" reportedly developed a method to mass-produce typosquatted npm packages, even leveraging ChatGPT to fabricate realistic-sounding package names. These packages, some targeting cryptocurrency libraries, were part of a broader scheme to establish a blockchain-based botnet.

In response to these emerging threats, organizations like the Python Software Foundation are ramping up efforts to strengthen package ecosystem security. Initiatives include programmatic tools for malware reporting, improved detection of suspicious package names, and closer collaboration with security teams. Sponsors such as Alpha-Omega are backing these efforts to reduce the risk of malware distribution via PyPI.

Security professionals recommend that developers exercise caution by verifying the authenticity of packages, checking for typos, and reviewing package contents before installation. Companies are also encouraged to mirror trusted subsets of repositories internally, giving them more control over which packages are accessible to their developers.

The rise of LLMs in software development offers great promise, but also introduces new vulnerabilities that demand awareness, diligence, and stronger safeguards across the software supply chain.