Attack  ·  Glossary

Hallucination squatting (slopsquatting)

Attackers notice that AI coding assistants sometimes 'hallucinate' the name of a software package that doesn't actually exist, then register a real, malicious package under that exact fake name. When a developer's AI-generated code tries to install the hallucinated package, it silently pulls in the attacker's malware instead.
This attack needs no phishing email or malicious link — it exploits a predictable flaw in how AI assistants write code, turning an everyday coding shortcut into a botnet-distribution channel at scale.
Track this in the live feed See how this plays out in real AI security and governance developments.
Open the feed →