Imagine this scenario: you’re working under a tight deadline, and you have your reliable AI coding assistant by your side, auto-completing functions, suggesting dependencies, and even firing off pip install commands on the fly. You’re deep in flow—some might call it vibe coding—where ideas turn into code almost effortlessly with the help of AI. It almost feels like magic—until it isn’t.

During our research, we observed an advanced agent confidently generating a perfectly plausible package name out of thin air, only to have the build crash with a “module not found” error moments later. Even more concerning, that phantom package might already exist on PyPI, registered by an adversary waiting to introduce malicious code into a developer’s workflow.

Figure 1. Agent hallucinating a non-existent package name—slopsquatting in action

For AI developers, these momentary glitches represent more than just an inconvenience; they’re a window into a new supply-chain threat. When agents hallucinate dependencies or install unverified packages, they create an opportunity for slopsquatting attacks, in which malicious actors pre-register those same hallucinated names on public registries.

In this entry, we’ll explore how these hallucinations occur in advanced agents, discuss their implications, and provide actionable guidance on how organizations can keep their development pipelines secure against these types of threats.

Slopsquatting is an evolution of the classic typosquatting attack. Rather than relying on human typographical errors however, attackers exploit AI-generated hallucinations instead. When a coding agent hallucinates a dependency—such as starlette-reverse-proxy—an attacker can publish a malicious package under that exact name. Developers who unwittingly run the generated installation commands may inadvertently download and execute malware.

While raw large language models (LLMs) can generate plausible-looking package names, they lack built-in validation mechanisms. In contrast, advanced coding agents incorporate additional reasoning and tool integrations to catch hallucinations before they can slip into the code. The next sections explores some of key agentic capabilities offered by some of the latest coding agents.

Claude Code CLI dynamically interleaves internal reasoning with external tools—such as live web searches and documentation lookups—to verify package availability as part of its generation pipeline. This “extended thinking” approach ensures that suggested package names are based on real-time evidence rather than statistics alone.

Figure 2. Claude Code CLI autonomously invoking a web search to validate a package

A multi-tiered memory system allows the agent to recall prior verifications and project-specific conventions, enabling it to cross-reference of earlier dependency checks before recommending new imports.

Codex CLI generates and executes test cases iteratively, using import failures and test errors as feedback to prune non-existent libraries from its suggestions.

By inspecting the existing codebase—parsing imports, analyzing project structure, and referencing local documentation—Codex ensures that package recommendations are contextually grounded in the specific application rather than relying solely on language priors.

For Cursor AI, we utilized multiple Model Context Protocol (MCP) servers for real-time validation of each candidate dependency:

Figure 3. Cursor AI’s MCP pipeline validating dependencies against live registries

To assess how different AI paradigms manage phantom dependencies, we compared hallucinated package counts across 100 realistic web-development tasks for three classes of models. Given the challenge of automating tests across various coding agents and Cursor AI, we manually executed the ten tasks that exhibited the highest hallucination rates in foundation models, recorded each hallucination, and compiled the results.

These are visualized in Figure 4, which charts the number of fabricated package names (0–6) proposed by each model for every task. The full dataset is available on GitHub.

Figure 4. The number of hallucinated packages identified t for each model and question is visualized on a scale of 0 to 6. For instance, 4 indicates that four hallucinated package names were identified for the corresponding model and question.

Across the 100 tasks, foundation models predominantly produced zero-hallucination outputs. However, they exhibited occasional spikes of two to four invented names when prompted to bundle multiple novel libraries.

These spikes, clustered around high-complexity prompts, reflect the model’s tendency to splice familiar morphemes (e.g. “graph” + “orm”, “wave” + “socket”) into plausible-sounding yet non-existent package names when their training data lacks up-to-date grounding.

By incorporating chain-of-thought reasoning and live web-search integrations, advanced coding agents are able to reduce the hallucination rate by approximately half. Nonetheless, occasional spikes persist on the same high-complexity prompts, albeit limited to one or two phantom names. Common error modes include:

Enhancing the vibe-coding workflow with three live MCP servers yields the lowest hallucination counts. Real-time validation effectively filters out most hallucinations other coding agents exhibit — however, in edge cases where no registry entry exists, a small number of hallucinated names may still persist.

This research demonstrates that package hallucinations remain a tangible supply-chain threat across all AI coding paradigms. Foundation models frequently generate plausible-sounding dependencies when tasked with bundling multiple libraries. While reasoning-enhanced agents can reduce the rate of phantom suggestions by approximately half, they do not eliminate them entirely. Even the vibe-coding workflow augmented with live MCP validations achieves the lowest rates of slip-through, but still misses edge cases.

Importantly, relying on simple PyPI lookups offers a false sense of security, as malicious actors can pre-register hallucinated names, and even legitimate packages themselves might contain unpatched vulnerabilities. When dependency resolution is treated as a rigorous, auditable workflow rather than a simple convenience, organizations can significantly shrink the attack window for slopsquatting and other related supply-chain exploits.

When automatic package installs are unavoidable, enforce strict sandbox controls to mitigate potential threats: