Home > Tech Explained

What is Slopsquatting and How to Avoid It

By Crystal Crowder
Code on a computer screen.

If you’ve seen this unpleasant sounding term floating around, you’re probably wondering what is slopsquatting and how exactly it might affect you. This nasty attack isn’t the easiest to spot, but there are ways to avoid it to keep you safer.

What is Slopsquatting

It all starts with AI hallucinations, which are things AI makes up. For the purposes of slopsquatting, AI tools suggest open source packages that don’t actually exist for developers to use in their code.

Cybercriminals have discovered AI hallucinations often repeat. They take advantage of this flaw by creating malicious packages using these hallucinated names and upload them to trusted code repository hosts such as GitHub. When developers ask their favorite AI platform to suggest an open source package, the chatbot suggests one of the hallucinated names that cybercriminals are using.

Asking ChatGPT for code package suggestions.
ChatGPT suggesting packages. No malicious suggestions in this list.

The result is developers are inserting these malicious packages into their software. Once it runs, the damage is done and the attackers gain access to any devices the code is executed on.

While this might not sound like a major issue, one study found that out of 16 major code generation AI models, almost 20-percent of recommended packages didn’t exist. Even worse is 43-percent of hallucinated package names repeated every time out of 10 runs with the same prompt. This makes it much easier for cybercriminals to choose names and get their malicious packages suggested and used repeatedly.

In the study, CodeLlama was the worst offender. On the other hand, GPT-4 Turbo had the fewest hallucinations. Just because the risk is less it doesn’t mean you’re completely safe, though.

Things You Need to Watch Out For

Whether you’re a professional, casual, or completely beginner developer, you’re at risk of slopsquatting. It’s actually a form of typosquatting, where a single letter is the only difference between a legitimate safe domain and a malicious one. But, just like typosquatting, slopsquatting is avoidable if you watch for these five things:

  1. Slightly misspelled package names – This red flag isn’t a guarantee, especially as the majority of hallucinated package names don’t have any typos. Still, if you notice something misspelled, think twice before using it.
  2. Lack of any discussions or feedback – Packages with little to no discussions may not be the safest to use. It could just mean they’re brand spanking new. Or, it could signal it’s a fake package that’s relying on AI suggestions for developers to find and innocently use.
  3. Warnings from other developers – I know it’s easy to just rely upon AI’s suggestions, but take a moment to do some extra research. Use your favorite search engine and see what others are saying about any package suggestions before using them yourself.
  4. Not recommended by other platforms – If possible, try the same or similar prompts on multiple AI coding platforms. If a package is rarely or never recommended, it could be a major sign of slopsquatting.
  5. Confusing descriptions – It’s becoming more common for developers to rely on “vibe coding,” which means they just accept suggestions without any verification. Yet, malicious packages often have confusing descriptions on the sites they’re hosted on.

You can also avoid common slopsquatting packages already identified in the wild just by asking your favorite AI platform for a list.

List of slopsquatting packages from ChatGPT.
List of slopsquatting packages found in the wild courtesy of ChatGPT.

The Most Important Precautions

Even when you know what to look for, slopsquatting is still difficult to spot in many cases. Since it’s so new, it’ll take time for security experts to develop a reliable process to identify and eliminate malicious packages. Many AI platforms are also attempting to train their models to recognize hallucinated names/packages and warn developers before using them.

Until those things happen, you do have three ways to prevent a malicious package from ruining your software and any devices it may be installed on.

The most important is to always run your code in a secure, sandbox environment. VirtualBox and VMWare are two of the most popular virtual machines and they’re free to use. There are also cloud-based sandbox environments, though most only support a few languages. Replit is a favorite as it supports over 50 languages.

The second is use a scanning tool to verify if a package is safe or not. I’ve found the Socket Web Extension to be one of the easiest options to use. It’s free to use and works on numerous sites to scan before you download anything. Currently, it’s available for Chrome-based browsers and Firefox.

How To Avoid Microsoft Blocking Teams On Desktop Update Menu

Finally, always verify anything AI suggests. The more reliant you are on AI, the easier it is for cybercriminals to take advantage. Use AI to assist with coding, but verify any and all suggestions before using them.

If you do become a victim of slopsquatting, let other developers know. Post warnings on social media, Reddit, and repository hosts. Contact support for the AI platform you’re using to report the malicious package name to help better train AI models. Getting the information out helps others protect themselves.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Crystal Crowder Avatar
Crystal Crowder
Crystal Crowder has spent over 15 years working in the tech industry, first as an IT technician and then as a writer. She works to help teach others how to get the most from their devices, systems, and apps. She stays on top of the latest trends and is always finding solutions to common tech problems.

Read next

A woman intently looking at her smartphone while seated indoors, dim lighting.
Tristan Harris, Google’s former design ethicist, told the US Senate that the pull-to-refresh gesture on nearly every app works like the lever of a Las Vegas slot machine, and he has long warned that we now reach for our phones around 150 times a day without ever calling it gambling
In 1969, László Bélády and two IBM colleagues published a paging-machine anomaly showing FIFO could make four memory frames suffer ten page faults after three frames suffered nine, leaving generations of operating-systems students staring at the moment more memory became the wrong answer
When Bell Labs engineer Karl Jansky pointed a rotating antenna at the sky in 1932 looking for sources of transatlantic radio static, he kept picking up a faint hiss that peaked every 23 hours and 56 minutes, and he eventually realized he had become the first human to hear the center of the Milky Way.
The colour magenta does not exist anywhere in the spectrum of visible light, and your brain manufactures it on the spot whenever red and blue cones fire together, inventing a hue to fill a gap that physics never bothered to provide.
Macro view of a smartphone displaying Google and other app icons on the home screen.
On 28 May 2009, Google demoed a product called Wave on stage at I/O for 80 minutes and got a standing ovation from developers who had no idea what they had just watched, and 15 months later the company quietly shut it down because almost nobody could explain to a friend what it was actually for
When Clair Patterson set out in 1948 to measure the age of the Earth using lead in meteorites, his samples kept coming back contaminated, and the seven-year detour he took to find the source ended with him almost single-handedly forcing leaded gasoline out of American cars by 1986.
Close-up view of a vintage IBM circuit board and disk drive showcasing retro computer technology.
The IBM 305 RAMAC stayed in production until 1961, weighed more than a ton, stored five million characters on fifty spinning platters, and still drew customers because the alternative was a room full of punched cards
A close-up of a vintage vinyl record in black and white, emphasizing its grooves.
In 1977, Ann Druyan recorded an hour of her brainwaves and heartbeat two days after she and Carl Sagan agreed to marry, and NASA pressed the compressed minute onto Voyager’s Golden Record as a private love signal now more than 25 billion kilometres from Earth