Jamshir Qureshi, MUFG Bank Ltd.

getty
In March 2026, attackers compromised the LiteLLM PyPI publishing account and released two malicious versions of the LiteLLM package (1.82.7 and 1.82.8). The backdoored packages were available for a short window before being detected and quarantined. The incident was traced to a broader supply chain compromise involving a CI/CD security scanning dependency (Trivy) used in the project’s release pipeline.
That same month, researchers discovered 127 package names—109 on PyPI and 18 on npm—that every major frontier model consistently hallucinates. These model-agnostic, repeatedly generated package names represent a supply chain attack surface that cannot be covered by any single-vendor security scan.
This is slopsquatting: attackers pre‑registering hallucinated dependencies that AI tools suggest. Traditional security cannot stop it, and the architectural implications demand a fundamentally different approach.
The Slopsquatting Reality
A Usenix Security 2025 study testing 16 models across 576,000 samples found commercial models hallucinate at 5.2%, open-source models at 21.7%. When a hallucination-generating prompt is repeated, the same package name reappears 43% of the time; 58% of hallucinated names repeat across independent sessions, a stable pattern attackers can profile.
Attackers are already weaponizing this. In January 2026, the hallucinated package `react-codeshift` spread to 237 repositories via 47 agent skill files without human review. When a researcher claimed the name, AI agents were already downloading it daily. Meanwhile, supply chain attacks escalate and traditional SBOMs and scanners cannot see what does not yet exist. A 2026 Sonatype analysis found that nearly 27.8% of dependency recommendations for the leading LLM were hallucinations—versions that do not exist. The window between hallucination and installation is measured in hours.
Where Traditional Defenses Fail
Software bills of materials (SBOMs) list intended dependencies, but hallucinated packages do not appear until they are actually installed. Static analysis tools scan for known CVEs, yet a newly registered hallucinated package has no vulnerability history to detect. Allowlists cannot block a dependency name that an AI has just invented. Traditional controls assume the threat already exists and is identifiable.
Slopsquatting inverts that model: The attacker registers the package only after the AI hallucinates it, but before installation occurs. Defending against this requires pre-deployment verification built directly into the software delivery pipeline.
The Architecture Of Pre-Deployment Trust Verification
To defend against slopsquatting, proactive trust verification must occur before any dependency lands in a developer's hands. My research into supply chain integrity shows that verification effectively rests on four pillars.
1. Dependency Existence Validation
The pipeline should confirm that a package and version actually exist in the target registry before installation. Most workflows ignore this, blindly trusting AI-generated suggestions. If a package does not exist at resolution time, the pipeline should stop. Automated checks close the window that slopsquatting exploits.
2. Cryptographic Provenance Verification
Cryptographic provenance verification asks if a package is what it says it is. This allows an organization to validate the signature at dependency resolution, preventing substitution after validation and ensuring that each artifact is from a verifiable publisher identity.
3. Registry Gate Policy Enforcement
Registry gate policy enforcement goes beyond manual approval processes. AI-suggested dependencies are evaluated in milliseconds against machine-readable policies—such as allowed registries, required signatures and CVSS thresholds—enforced directly within CI/CD pipelines. Most modern pipeline frameworks already expose primitives for this capability.
4. Immutable Audit Logging
Immutable audit logging fills the accountability gap. In regulated environments, compliance demands that you demonstrate every dependency has been verified. The logs are append-only and cryptographically chained to provide tamper-evident records of each decision of verification, which can be used to trace incidents with precision.
I built the Hybrid Chain of Trust framework and its reference implementation, hcot-cli, to demonstrate these pillars working together: verifying existence, verifying signatures, enforcing policies and logging decisions before `pip install` executes. The implementation is less important than the principles, as any organization can implement similar controls with registry webhooks, OPA policies or internal scripts. The key is that verification occurs before deployment, automatically and with an auditable record.
What Security Leaders Should Do Now
The attack surface for slopsquatting will grow. But the defenses are architectural, not exotic.
Start with an audit of your AI-to-production pipeline. How many dependencies are being introduced via LLM suggestions? If you cannot answer that question, you cannot accurately assess exposure. AI-suggested dependencies should be explicitly marked for review and tracking.
Next, evaluate whether your governance process accounts for packages that do not yet exist. Traditional scanners focus on known CVEs in known packages, but slopsquatting exploits the gap in between. Most organizations can close this gap with lightweight controls, including pre-install existence validation using a simple script and registry API checks.
Finally, extend policy enforcement into the dependency resolution step itself. Add a mechanical gate at pull request time that verifies every new dependency resolves to a real, signed package from an approved registry. This prevents hallucinated dependencies from reaching human review at all.
The AI-driven dependency attack surface is real and expanding, but it is also highly preventable with pre-deployment controls embedded in existing pipelines. The window between hallucination and exploitation is often only hours. Organizations that close that window can prevent the next cascading supply chain incident.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

2 hours ago
2













English (US)