Full Report
A new class of supply chain attacks named 'slopsquatting' has emerged from the increased use of generative AI tools for coding and the model's tendency to "hallucinate" non-existent package names. [...]
Analysis Summary
# Tool/Technique: AI Hallucinated Code Dependencies (Slopsquatting Prerequisite)
## Overview
This refers to the discovery that Large Language Models (LLMs) frequently "hallucinate" or invent software package names when generating code. These invented package names are often semantically plausible, repeatable across multiple runs, and sometimes based on typos of real packages, creating a predictable and potentially weaponizable attack surface for supply chain compromise, often referred to as "slopsquatting."
## Technical Details
- Type: Technique / Attack Vector Precursor
- Platform: Software Development Environments utilizing AI code generation tools (e.g., developers using LLM-assisted coding).
- Capabilities: Generating fictional dependency names that appear legitimate to developers, facilitating the introduction of malicious packages into software projects.
- First Seen: Newly identified and documented risk associated with the deployment of generative AI in coding workflows (contextual timeframe associated with recent studies on LLM behavior).
## MITRE ATT&CK Mapping
This attack vector primarily targets the initial stages of the supply chain compromise:
- **TA0001 - Initial Access** (If the developer unknowingly imports the dependency)
- **T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain** (Introducing malicious components planned for later compromise via hallucination)
- **TA0005 - Defense Evasion** (If the hallucinated dependency is novel, it might evade existing signature-based defenses)
- **TA0012 - Discovery** (If the attacker uses the repeatable pattern to test which hallucinated packages are likely to be adopted)
## Functionality
### Core Capabilities
- Generating novel, seemingly legitimate package names that do not exist in official repositories.
- Patterns show 43% of hallucinated names are consistently repeated across similar prompts, making them reliable targets for attackers.
- 51% of these names are completely fabricated, while 38% are inspired by real packages, and 13% are typos.
### Advanced Features
- **Repeatability:** The high rate of repetition (58% across ten runs) means attackers can observe LLM outputs to identify high-confidence targets for creating corresponding malicious packages (slopsquatting).
- **Semantic Plausibility:** The names sound credible, reducing immediate suspicion by the developer reviewing the AI-suggested code.
## Indicators of Compromise
*Note: Since this is a *precursor* to an attack, IoCs are related to the subsequent slopsquatting actions, not the hallucination itself.*
- File Hashes: N/A (Relates to developers installing non-existent packages)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (The *hallucination* has no network indicators; the subsequent malicious package would.)
- Behavioral Indicators: Developers accepting and integrating dependencies suggested by LLMs without explicit verification.
## Associated Threat Actors
None explicitly named in the context of *causing* hallucinations, but this technique creates an easy attack surface for any threat actor capable of setting up package repositories (e.g., typosquatting/slopsquatting efforts).
## Detection Methods
The focus is on verifying AI output rather than detecting the hallucination itself.
- Signature-based detection: Ineffective against novel, hallucinated package names until they are weaponized.
- Behavioral detection: Monitoring for unusual dependency installation attempts based on AI-generated code prompts.
- YARA rules: Not directly applicable to the hallucination process.
## Mitigation Strategies
- Verify human-generated or AI-generated package names manually; never assume a suggested package is real or safe.
- Utilize dependency scanners and lockfiles to pin software to known, trusted versions.
- Verify package hashes for installed dependencies where possible.
- Lower AI "temperature" settings during coding assistance to reduce randomness and the creation of novel artifacts.
- Always test AI-generated code in an isolated, safe environment before production deployment.
## Related Tools/Techniques
- **Slopsquatting:** The resultant attack where threat actors distribute malicious packages matching the hallucinated names.
- **Typosquatting (T1550.001):** Similar to typosquatting but leverages AI-generated plausible misspellings or fabrications.