Home / Incidents / Hallucination

Hallucination

AI Agent Failure Mode — 6 Documented Incidents

What is Hallucination?

Hallucination occurs when an AI coding agent references APIs, functions, packages, libraries, or files that do not exist. The agent confidently generates code that calls nonexistent methods, imports fictional packages, or references documentation that was never written. This is one of the most common AI agent failure modes because the model generates plausible-looking code based on patterns rather than verified reality.

6
Total Incidents
3.1
Avg Severity /10
4
Agents Affected
0
Critical

Which AI agent hallucinations the most?

Multiple-llms 3 incidents
Claude-code 1 incidents
Devin 1 incidents
Cursor 1 incidents

All Hallucination Incidents

STUPID-2026-0033 6.4/10 MEDIUM Multiple-llms

Slopsquatting: LLMs hallucinate package names attackers pre-register (react-codeshift, unused-imports)

'Slopsquatting' is a supply-chain attack that weaponizes a systematic AI failure: coding agents confidently recommend packages that do not exist. Across 576,000 code samples genera

STUPID-2026-0036 2.9/10 LOW Cursor

Cursor's own support AI 'Sam' invented a one-device login policy, triggering subscription cancellations

In April 2025, Cursor users began getting unexpectedly logged out — caused by a session-management race condition on slow connections. When they contacted support, Cursor's AI supp

STUPID-2026-0049 2.5/10 LOW Multiple-llms

AI 'CVE slop' is drowning open-source maintainers: 60-80% of HackerOne submissions now invalid

Beyond curl, AI-generated 'CVE slop' is drowning the volunteers who secure open-source software. HackerOne now reports that 60-80% of vulnerability submissions across its platform

STUPID-2026-0037 2.5/10 LOW Multiple-llms

AI 'slop' vulnerability reports flooded curl until it killed its bug bounty

curl's founder Daniel Stenberg shut down the project's long-running HackerOne bug bounty at the end of January 2026 after being overwhelmed by AI-generated 'slop' — long, confident

STUPID-2026-0008 2.1/10 LOW Claude-code

Claude Code hallucinated a non-existent npm package and installed it

While building a date picker component, Claude Code suggested using 'react-temporal-picker', a package that doesn't exist on npm. It proceeded to write import statements and compon

STUPID-2026-0016 2.1/10 LOW Devin

Devin docs PR rejected by Prefect maintainers — documented behavior from removed feature

Devin submitted a docs PR to PrefectHQ/prefect (21K+ stars) explaining a Kubernetes worker behavior. The PR was closed because it documented a feature that had already been removed