cd /news/ai-safety/slopsquatting-your-ai-coding-agent-i… · home topics ai-safety article
[ARTICLE · art-48007] src=byteiota.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

Slopsquatting: Your AI Coding Agent Is Now a Supply Chain Risk

On February 17, 2026, attackers compromised the Cline AI coding tool via a malicious npm package, silently installing OpenClaw on 4,000 developers' machines through a postinstall script. This "slopsquatting" attack exploits AI models that hallucinate nonexistent package names, which attackers pre-register with malicious code. A May 2026 study found 127 package names hallucinated identically by five major coding models, creating pre-positioned attack infrastructure, and real malicious packages have already accumulated tens of thousands of downloads.

read4 min views1 publishedJul 4, 2026
Slopsquatting: Your AI Coding Agent Is Now a Supply Chain Risk
Image: Byteiota (auto-discovered)

On February 17, 2026, at 3:26 AM PT, roughly 4,000 developers updated their Cline AI coding tool and received something they never asked for: OpenClaw, silently installed on their machines via a postinstall script tucked inside a compromised npm package. The attackers had an eight-hour window. They used all of it. Welcome to slopsquatting — the supply chain attack your AI coding assistant is helping build.

What Is Slopsquatting? #

Slopsquatting is what happens when an AI model confidently recommends a package that does not exist, and an attacker has already registered that name with malicious code. It is the spiritual successor to typosquatting, except no one mistyped anything. The AI invented a plausible-sounding package name, and the developer — or their agent — ran npm install

.

The term was coined by Seth Larson, developer in residence at the Python Software Foundation. The “slop” in slopsquatting is intentional — it refers to the low-quality, confident-sounding AI output that creates the vulnerability in the first place. Unlike typosquatting, there is no telltale misspelling to catch. The hallucinated name looks legitimate because the model generated it to sound legitimate.

The Numbers Are Worse Than You Think #

A May 2026 study tested five widely used coding models — Claude Sonnet 4.6, Claude Haiku 4.5, GPT-5.4-mini, Gemini 2.5 Pro, and DeepSeek V3.2 — across nearly 200,000 prompts. The finding that should concern every developer: 127 package names are hallucinated identically by all five models. Not similar names. The exact same names. 109 on PyPI, 18 on npm.

That is not a quirk of one assistant. That is pre-positioned attack infrastructure waiting for any of the five most popular coding tools to recommend it to a developer.

Earlier Cloud Security Alliance research found that 43% of hallucinated package names appeared on every single repeated run of the same prompt. An attacker needs only to run a few dozen prompts, note which fake package names keep recurring, and register them. The math is straightforward. The return on investment is high.

The Attack Is Already Live #

This is not a theoretical concern. The unused-imports

package on npm is a textbook example: AI models consistently recommend it instead of the legitimate eslint-plugin-unused-imports

. An attacker registered the hallucinated name with a malicious payload. As of early 2026, it was still recording approximately 233 weekly downloads despite npm marking it security-held.

As of July 1, 2026, attackers are confirmed to be actively exploiting this vector. Real malicious packages built on slopsquatting have accumulated tens of thousands of downloads across the ecosystem. The window between “theoretical research” and “active exploitation” closed faster than most teams noticed.

AI Agents Make It Exponentially Worse #

When a developer follows a bad AI recommendation, they can before hitting Enter. When an AI agent does it, there is no . Tools like Claude Code, GitHub Copilot, and Cursor increasingly manage dependencies autonomously — pulling packages, adding them to manifests, running installs — without a human checkpoint between recommendation and execution.

Both npm and pip run post-install scripts by default. That means a malicious payload executes the moment npm install

completes — before any code review, before any security scan, before anyone on the team knows a new package was added. The Clinejection incident illustrated this precisely: a compromised publish token, a postinstall script, and an eight-hour window were all it took to land unauthorized software on 4,000 developer machines. No one had to click anything. The agent handled it.

What to Do Right Now #

The mitigations are not complicated. None of them are on by default.

For your pipelines:

  • Commit your lockfile ( package-lock.json

,poetry.lock

) to source control and runnpm ci

instead ofnpm install

in CI/CD — this installs from the lockfile exactly with no room for surprise packages - Enable hash verification on all dependency installations

  • Run new packages through a behavioral analysis tool like Socket.devor Snyk before installing

For your AI agents:

  • Restrict agent permissions — do not grant unrestricted shell or exec access
  • Implement an explicit package allowlist: any agent-recommended package not on the list requires human review before installation
  • Use npm install --ignore-scripts

to prevent post-install scripts from executing automatically

npm ci

npm install --ignore-scripts

npx socket npm install <package-name>

The Actual Problem #

AI coding tools are not the villain here. Hallucination rates dropped from nearly 20% in 2025 to roughly 5–6% across major models in 2026 — real progress. The problem is the assumption baked into most development workflows: that AI agent actions require zero human oversight. That assumption was wrong before slopsquatting existed. It is dangerous now that attackers have found the gap.

Treat AI-recommended packages the same way you would treat a dependency submitted in a pull request from someone you have never met. Because that is effectively what it is. Your agent is only as trustworthy as the permissions you give it and the gates you put in its path — and right now, most teams have given their agents everything and gated nothing.

── more in #ai-safety 4 stories · sorted by recency
── more on @cline 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/slopsquatting-your-a…] indexed:0 read:4min 2026-07-04 ·