Slopsquatting: LLMs hallucinate package names attackers pre-register (react-codeshift, unused-imports)
Quick Answer
Multiple-llms caused a medium-severity (6.4/10) hallucination failure: Slopsquatting: LLMs hallucinate package names attackers pre-register (react-codeshift, unused-imports). The root cause was training data gap. Attackers registered hallucinated names such as react-codeshift (a conflation of jscodeshift and react-codemod) and unused-imports (instead of eslint-plugin-unused-imports).
Description
'Slopsquatting' is a supply-chain attack that weaponizes a systematic AI failure: coding agents confidently recommend packages that do not exist. Across 576,000 code samples generated by 16 different LLMs, roughly 19.7% of recommended packages were hallucinations — and when identical prompts were re-run ten times, 43% of the fake names appeared on every single run. That predictability is the exploit: an attacker runs a few dozen prompts, harvests the names that consistently recur, and registers them as malware before anyone else. Documented cases include react-codeshift (a name an LLM produced by conflating the real jscodeshift and react-codemod tools) and unused-imports (hallucinated in place of eslint-plugin-unused-imports). npm's typosquatting collision detection offers no defense, because hallucinated names are brand-new strings with nothing to collide against.
Instruction Given
Recommend or install packages while generating code.
Expected Behavior
Only reference packages that actually exist and are verified before installation.
Actual Behavior
Across 576,000 code samples from 16 LLMs, roughly 19.7% of recommended packages did not exist. 43% of hallucinated names recurred on every one of ten identical runs — predictable enough that attackers pre-register the names as malware.
Impact / Damage
Attackers registered hallucinated names such as react-codeshift (a conflation of jscodeshift and react-codemod) and unused-imports (instead of eslint-plugin-unused-imports). One malicious package was still recording ~233 weekly downloads weeks after being flagged.
Frequently Asked Questions
What happened in incident STUPID-2026-0033? ▾
'Slopsquatting' is a supply-chain attack that weaponizes a systematic AI failure: coding agents confidently recommend packages that do not exist. Across 576,000 code samples generated by 16 different LLMs, roughly 19.7% of recommended packages were hallucinations — and when identical prompts were re-run ten times, 43% of the fake names appeared on every single run. That predictability is the exploit: an attacker runs a few dozen prompts, harvests the names that consistently recur, and registers them as malware before anyone else. Documented cases include react-codeshift (a name an LLM produced by conflating the real jscodeshift and react-codemod tools) and unused-imports (hallucinated in place of eslint-plugin-unused-imports). npm's typosquatting collision detection offers no defense, because hallucinated names are brand-new strings with nothing to collide against.
Which AI agent caused this failure? ▾
Multiple-llms was responsible for this hallucination incident, documented as STUPID-2026-0033 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 6.4/10 (medium) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as training data gap. Only reference packages that actually exist and are verified before installation.
What was the impact or damage? ▾
Attackers registered hallucinated names such as react-codeshift (a conflation of jscodeshift and react-codemod) and unused-imports (instead of eslint-plugin-unused-imports). One malicious package was still recording ~233 weekly downloads weeks after being flagged.