Slopsquatting emerges as a supply chain vulnerability that exploits AI coding assistants. The attack works when developers use AI tools like GitHub Copilot or Claude to generate code. These models occasionally hallucinate, or fabricate package names and library references that don't exist. Attackers register these nonexistent packages with names similar to what the AI suggested, then populate them with malicious code.

When developers copy AI-generated code into their projects, they inadvertently pull in the poisoned packages. Unlike typosquatting, which relies on human typing errors (confusing "lodash" for "loadash"), slopsquatting exploits the LLM's tendency to invent plausible-sounding but fake dependencies.

The threat scales rapidly as AI coding adoption accelerates. A single hallucination propagated through an AI model reaches thousands of developers simultaneously. The attack bypasses traditional code review processes because the malicious package name looks legitimate in context. Developers trust their AI assistant and don't question whether the dependency actually exists.

Real-world examples have already surfaced. Researchers documented cases where LLMs generated references to packages that don't exist in standard repositories. Attackers watching for these hallucinations can quickly register the fake packages and distribute malware before developers realize the mistake.

Organizations relying heavily on AI coding assistants face particular risk. Development teams with less security discipline are especially vulnerable. The attack works at the earliest stage of development, embedding compromise deep into the software supply chain before code review or testing phases catch it.

Mitigation strategies include verifying all AI-suggested dependencies before importing them, implementing stricter dependency vetting in CI/CD pipelines, and monitoring for typosquatting-style package registrations. Package repositories like npm and PyPI have begun flagging suspicious new packages, but the speed of LLM adoption outp