LLM09:2025Misinformation
Slide 11 of 27
Part 2 · TypesSlide 11
Slide 11 · Package Hallucination
Hallucination as a supply-chain attack.
Slopsquatting, 2024.
Research Finding · 2024 · Vulcan Cyber / Bar Lanyado
Slopsquatting: Attackers Register the Package Names LLMs Hallucinate
No CVE · Research by Bar Lanyado, Vulcan Cyber · Published 2024

The discovery: Researcher Bar Lanyado asked multiple LLMs (including GPT-4, Claude, and Gemini) to write code for common development tasks. He logged every package name the models recommended and checked each against npm and PyPI.

The pattern: He found hundreds of hallucinated package names across six LLM models. Critically, the same non-existent packages were hallucinated consistently across different sessions and models — making the names predictable to an attacker.

The attack path: Attacker identifies a commonly hallucinated package name → registers it on npm or PyPI with malicious code → waits. Developer asks LLM for help → LLM recommends the hallucinated name → developer installs it → compromised.

The term: “Slopsquatting” — squatting on the names LLMs produce as slop (hallucinated output).

Why it matters for LLM09: This is hallucination weaponized. The model’s intrinsic quality failure becomes an attacker’s delivery mechanism. LLM09 becomes LLM03 (Supply Chain). The entire attack path is broken by one command: npm info <package> before install.
The Defense

Always verify package existence before installing: npm info <name> or pip index versions <name>. A package registered last week with zero downloads and no README is a red flag. Build this check into developer workflow for any team using LLMs for coding assistance.

← BackNext → Professional Misinformation
📄 View sources for this lesson