# Researchers have finally worked out why AI models keep inventing the same fake names > Source: > Published: 2026-06-21 08:21:00+00:00 *New research shows AI models don't invent fake names at random. They often converge on the same plausible lies, which turns a nuisance error into a security and compliance problem.* If you've spent enough time prompting large language models, you've probably seen the odd pattern: when they make things up, they often make up the same sort of thing. A researcher who doesn't exist. A legal case that sounds real. A software package that looks exactly like the one a developer expected to install. That isn't just a funny defect in the machine. It is the shape of the risk. When an AI system produces a fake name once, you have an error. When several models produce the same fake name again and again, you have something other people can target. The clearest example is now in software. In a 2024 paper called We Have a Package for You!, researchers Joseph Spracklen, Raveen Wijewickrama, A. H. M. Nazmus Sakib, Anindya Maiti, Bimal Viswanath and Murtuza Jadliwala tested 16 code-generating LLMs across Python and JavaScript prompts. They generated 576,000 code samples and found 205,474 unique hallucinated package names. Commercial models hallucinated packages at a rate of at least 5.2%, while open-source models averaged 21.7%. That is not a rounding error. If you're letting an AI coding agent suggest dependencies, the fake package name isn't trapped inside a chat window. It can move straight into a terminal, a pull request, a build system or a production pipeline. The newer work makes the problem harder to dismiss. In a May 2026 follow-up, researcher Aleksandr Churilov tested five frontier code-capable models released between October 2025 and March 2026, including Claude Sonnet 4.6, Claude Haiku 4.5, GPT-5.4-mini, Gemini 2.5 Pro and DeepSeek V3.2. The overall hallucination rates were lower, between 4.62% and 6.10%, but the study found 127 package names that all five models invented identically. Frankly, that is the part you should care about. Better averages help, but shared fake names create a shared attack surface. If an attacker can register one of those names on PyPI or npm before a developer checks it, the hallucination becomes a supply-chain trick. The term for that is slopsquatting, and it is exactly as crude as it sounds: claim the package name the model keeps imagining, then wait for someone to trust the model too much. The same pattern shows up outside code, where the costs are less technical but no less real. Stanford researchers Matthew Dahl, Varun Magesh, Mirac Suzgun and Daniel E. Ho found in 2024 that legal hallucinations appeared between 58% and 88% of the time when major models were asked specific, verifiable questions about random federal court cases. These were not vague misunderstandings. They included wrong holdings, invented legal claims and false answers about real cases. The legal profession keeps supplying examples because lawyers keep treating fluent text as if fluency were verification. The Guardian reported in April 2026 that Sullivan & Cromwell apologised to a federal judge after a filing in a high-profile bankruptcy matter included AI-generated errors, including inaccurate citations and a misquotation of the US bankruptcy code. You don't need to imagine the compliance problem. It is already sitting in court records. The reason this keeps happening is not mysterious. LLMs don't store facts like a database. They learn patterns from text and generate the next likely token. A name that fits the shape of a real person, real case or real software dependency can be more available to the model than the honest answer: I don't know. Training and product design often make that worse, because a smooth answer is easier to like than a cautious one. That is why generic safeguards are not enough. A warning label under the chat box will not protect a build pipeline. A lawyer promising to check citations later will not fix a brief already drafted around a fake case. If your company is putting AI into customer support, legal review, compliance workflows or developer tools, you need verification at the point where names enter the system. For code, that means package allowlists, lockfiles, hash verification and a hard rule that AI agents don't install dependencies without review. For legal and customer-facing systems, it means retrieval against approved documents and citation checks before output reaches a user. Retrieval-augmented generation is not magic, but it gives the model something real to stand on. Raw generation does not. The point is not that AI tools are useless. They are useful enough that people stop checking them. That is the danger. A random fake name wastes your time. A predictable fake name gives someone else a map. **Also read:** [Japan's chip equipment giants are losing China and betting on AI to fill the gap](https://startupfortune.com/japans-chip-equipment-giants-are-losing-china-and-betting-on-ai-to-fill-the-gap/) • [OpenRouter's Fusion API bets the future of AI belongs to panels, not single frontier models](https://startupfortune.com/openrouters-fusion-api-bets-the-future-of-ai-belongs-to-panels-not-single-frontier-models/) • [Anthropic faces a class action lawsuit accusing it of selling Claude Max subscribers far less than advertised](https://startupfortune.com/anthropic-faces-a-class-action-lawsuit-accusing-it-of-selling-claude-max-subscribers-far-less-than-advertised/)