New Slopsquatting Attack Exploits Coding Agent Workflows to Deliver Malware

“Slopsquatting” is a new supply-chain danger that has surfaced in the quickly changing field of AI-driven software development, presenting serious hazards to developers who depend on sophisticated coding agents.

Unlike traditional typosquatting, which capitalizes on human typing errors, slopsquatting exploits the hallucinations of AI-powered coding assistants tools like Claude Code CLI, OpenAI Codex CLI, and Cursor AI with MCP-backed validation.

These agents, designed to streamline workflows by auto-completing code and suggesting dependencies, can inadvertently generate non-existent but plausible package names.

Malicious actors seize this opportunity by pre-registering these hallucinated names on public registries like PyPI, waiting to deliver malware to unsuspecting developers who execute the AI-suggested installation commands.

AI Hallucinations

The mechanics of slopsquatting are both insidious and sophisticated. When developers, often under tight deadlines, lean on AI coding agents for rapid prototyping or “vibe coding,” they enter a state of seamless productivity where ideas transform into code almost effortlessly.

However, this magic can turn into a nightmare when an agent hallucinates a dependency like “starlette-reverse-proxy” that doesn’t exist in reality but sounds convincingly legitimate.

According to the Report, Research has shown that even advanced agents with real-time validation mechanisms are not immune to such errors.

Our experiments across 100 web development tasks revealed that foundation models occasionally produce spikes of two to four invented package names, particularly under complex prompts, while reasoning-enhanced agents cut this rate by half but still falter in edge cases.

Cursor AI, augmented with Model Context Protocol (MCP) servers for live validation, achieves the lowest hallucination rates, yet it too misses rare scenarios, such as cross-ecosystem name borrowing or morpheme-splicing heuristics.

These gaps, however small, create windows for attackers to publish malicious packages under the hallucinated names, turning a momentary glitch into a full-blown security breach.

Fortifying Defenses Against Slopsquatting

Mitigating slopsquatting demands a multi-layered security approach, as simple registry lookups provide a false sense of safety malicious actors can pre-register names, and even legitimate packages may harbor vulnerabilities.

Organizations must treat dependency resolution as a rigorous, auditable process.

Provenance tracking through cryptographically signed Software Bills of Materials (SBOMs) ensures every package’s origin is traceable, while automated vulnerability scanning with tools like OWASP dep-scan in CI/CD pipelines can flag risks before deployment.

Isolated installation environments, such as Docker containers or ephemeral VMs, are critical to contain potential threats, executing AI-suggested “pip install” commands in sandboxes that are reset per run with strict outbound network restrictions.

Furthermore, integrating prompt-driven validation loops, enforcing human-in-the-loop approvals for unfamiliar packages, and educating developers on these risks are essential steps.

Detailed logging, runtime monitoring for anomalous behavior, and immutable base images for sandboxes add additional layers of protection.

While AI coding agents are transformative, their hallucinations underscore the need for vigilance.

By combining technology with policy and oversight, organizations can shrink the attack surface of slopsquatting, safeguarding their development pipelines against this emerging supply-chain threat in an era where automation and security must coexist.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free