Slopsquatting: when your agent invents a package and an attacker is waiting

May 12, 2026 · The Hipper team securityslopsquattingsupply-chain

Ask a frontier model to scaffold a project and it will, more often than you’d like, reach for a package that does not exist. Not a typo of a real one — a wholly invented name that sounds exactly right: eslint-fast-router, python-jwt-utils, react-use-debounce-effect. The name is so plausible you’d never look twice.

That is the opening.

From hallucination to attack

The attack is simple and it has a name now: slopsquatting. It works in three moves.

A model hallucinates a package name that doesn’t exist on npm or PyPI.
An attacker — watching the same models you are — registers that exact name first, with a malicious payload in the install script.
The next agent that hallucinates the same name installs the attacker’s code, with whatever credentials and filesystem access the build has.

The thing that makes slopsquatting different from classic typosquatting is that it doesn’t rely on you slipping. You can type the command perfectly. The mistake was made upstream, by the model, and it was made confidently.

Why hallucinated names are predictable

The uncomfortable part: model hallucinations are not random noise. Researchers who measured this found that a meaningful fraction of packages suggested by code models simply don’t exist — and, crucially, that the same fake names recur across runs and across prompts. A hallucination that repeats is a hallucination an attacker can pre-register and wait on.

Repeatability is what turns a flaky output into a viable supply chain. The attacker doesn’t need to guess what your specific agent will dream up. They harvest the names that lots of models dream up, register the popular ones, and let the ecosystem walk into them.

Why your existing tools miss it

Most of the supply-chain tooling you already run assumes the dependency is real and asks whether it’s safe — known CVEs, license, maintainer reputation, version age. A slopsquatted package defeats that framing on day one:

It has no history, because it was registered an hour ago — so “suspiciously new” is its only signal, and new packages are published constantly.
It has no CVEs, because no one has reported it yet.
It passes a lockfile review, because by the time it’s in your lockfile the decision has already been made.

And the riskiest moment — the model proposing the name — happens before any of those tools run. The package is installed during the agent’s own loop, often inside an automated build, with no human reading the diff.

The fix is a pre-flight check, not a post-mortem

The only place to catch this cheaply is before the install command runs. At that moment you have everything you need: the proposed name, and the live registry to check it against. The verdict is fast and unambiguous:

$ hipper guard react eslint-fast-router expresss
✓ react              trusted
✗ eslint-fast-router HALT — hallucinated (did you mean eslint)
✗ expresss           HALT — possible typosquat (did you mean express)

Hipper hooks the agent’s tool-use step and classifies every package it’s about to install:

trusted — in the verified registry, install proceeds.
unverified — real on the registry but unknown to us; surfaced, not blocked.
possible typosquat — one edit away from a popular package; flagged with the likely intended name.
hallucinated — not on npm or PyPI at all → the install is denied before it runs.

It works the same for npm, pnpm, yarn, and bun as it does for pip, uv, poetry, and pipx — because the hallucination problem is identical on both sides of the language fence.

The point

Slopsquatting is the first attack class created by AI coding agents rather than merely assisted by them. It doesn’t exploit a bug in your code; it exploits the gap between a model’s training cutoff and the world’s current state, in the half-second between “the agent decided” and “the package installed.”

Close that half-second and the attack has nowhere to live.

Hipper checks every proposed dependency against the live registry before it installs. Join the waitlist for early access.

Hipper is a pre-flight knowledge guardrail for AI coding agents. Join the waitlist →