The rapid integration of AI-driven coding agents, such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI, has revolutionized developer workflows, boosting productivity through auto-completion, dependency suggestions, and automated installations.
Yet, beneath this seamless “vibe-coding” experience lurks a sophisticated supply-chain risk that is not being addressed. This novel threat, highlighted in new research, exploits the very intelligence and automation designed to streamline modern software development.
Slopsquatting – Hallucinated Dependencies, Real-World Threats
Slopsquatting is an evolution of classic typosquatting, exploiting not human error but the “hallucinations” of AI coding agents.
When AI assistants suggest a plausible, non-existent package name, say, starlette-reverse-proxyMalicious actors can pre-register that name on public repositories like PyPI, embedding malware ready to be pulled directly into an unwitting developer’s build.
Advanced agents partially mitigate this risk. For instance, Claude Code CLI validates package existence via real-time web searches, while OpenAI Codex CLI automatically tests installation commands and pruning failures.
Cursor AI’s Model Context Protocol (MCP) leverages live registry queries and task decomposition for extra rigor.
However, even these advanced systems are not immune; research finds that edge-case hallucinations and context-gap filling still lead to occasional phantom dependencies, particularly on high-complexity tasks or where statistical conventions outpace real-world validation.
Attackers, meanwhile, exploit these gaps by monitoring for novel, plausible-looking package names being queried or installed. By occupying these “AI-invented” dependencies before defenders can respond, they can introduce malware at the moment of installation—circumventing traditional defenses.
Securing the Pipeline – Actionable Defenses
Mitigating stop squatting requires a layered, defense-in-depth approach. Key recommendations include:
- Provenance Tracking: Utilize cryptographically signed Software Bills of Materials (SBOMs) to verify the dependencies of every build.
- Automated Vulnerability Scanning: Integrate tools such as Safety CLI or OWASP dep-scan into continuous integration pipelines to flag risky packages and known CVEs.
- Sandboxed Installations: Run all AI-suggested
pip installcommands inside disposable containers or ephemeral virtual machines, only promoting vetted artifacts. - Real-Time Validation & Human Oversight: Design AI prompts to require existence checks before finalizing code and mandate manual review for unfamiliar packages.
Ultimately, while AI coding agents are indispensable for rapid prototyping and automation, their hallucinations introduce a new paradigm of supply-chain risks.
Security practitioners must treat dependency resolution as an auditable, multi-layered workflow, thereby reducing the attack surface and securing the future of AI-powered development.
