Slopsquatting: Your AI Coding Agent Is Now a Supply Chain Risk On February 17, 2026, attackers compromised the Cline AI coding tool via a malicious npm package, silently installing OpenClaw on 4,000 developers' machines through a postinstall script. This "slopsquatting" attack exploits AI models that hallucinate nonexistent package names, which attackers pre-register with malicious code. A May 2026 study found 127 package names hallucinated identically by five major coding models, creating pre-positioned attack infrastructure, and real malicious packages have already accumulated tens of thousands of downloads. On February 17, 2026, at 3:26 AM PT, roughly 4,000 developers updated their Cline AI coding tool and received something they never asked for: OpenClaw, silently installed on their machines via a postinstall script tucked inside a compromised npm package. The attackers had an eight-hour window. They used all of it. Welcome to slopsquatting — the supply chain attack your AI coding assistant is helping build. What Is Slopsquatting? Slopsquatting is what happens when an AI model confidently recommends a package that does not exist, and an attacker has already registered that name with malicious code. It is the spiritual successor to typosquatting, except no one mistyped anything. The AI invented a plausible-sounding package name, and the developer — or their agent — ran npm install . The term was coined by Seth Larson, developer in residence at the Python Software Foundation. The “slop” in slopsquatting is intentional — it refers to the low-quality, confident-sounding AI output that creates the vulnerability in the first place. Unlike typosquatting, there is no telltale misspelling to catch. The hallucinated name looks legitimate because the model generated it to sound legitimate. The Numbers Are Worse Than You Think A May 2026 study https://arxiv.org/abs/2605.17062 tested five widely used coding models — Claude Sonnet 4.6, Claude Haiku 4.5, GPT-5.4-mini, Gemini 2.5 Pro, and DeepSeek V3.2 — across nearly 200,000 prompts. The finding that should concern every developer: 127 package names are hallucinated identically by all five models . Not similar names. The exact same names. 109 on PyPI, 18 on npm. That is not a quirk of one assistant. That is pre-positioned attack infrastructure waiting for any of the five most popular coding tools to recommend it to a developer. Earlier Cloud Security Alliance research https://labs.cloudsecurityalliance.org/research/csa-research-note-slopsquatting-ai-supply-chain-20260419-csa/ found that 43% of hallucinated package names appeared on every single repeated run of the same prompt. An attacker needs only to run a few dozen prompts, note which fake package names keep recurring, and register them. The math is straightforward. The return on investment is high. The Attack Is Already Live This is not a theoretical concern. The unused-imports package on npm is a textbook example: AI models consistently recommend it instead of the legitimate eslint-plugin-unused-imports . An attacker registered the hallucinated name with a malicious payload. As of early 2026, it was still recording approximately 233 weekly downloads despite npm marking it security-held. As of July 1, 2026, attackers are confirmed to be actively exploiting this vector https://www.techtimes.com/articles/319457/20260701/ai-coding-agents-skip-package-verification-attackers-are-exploiting-it.htm . Real malicious packages built on slopsquatting have accumulated tens of thousands of downloads across the ecosystem. The window between “theoretical research” and “active exploitation” closed faster than most teams noticed. AI Agents Make It Exponentially Worse When a developer follows a bad AI recommendation, they can pause before hitting Enter. When an AI agent does it, there is no pause. Tools like Claude Code, GitHub Copilot, and Cursor increasingly manage dependencies autonomously — pulling packages, adding them to manifests, running installs — without a human checkpoint between recommendation and execution. Both npm and pip run post-install scripts by default. That means a malicious payload executes the moment npm install completes — before any code review, before any security scan, before anyone on the team knows a new package was added. The Clinejection incident https://snyk.io/blog/cline-supply-chain-attack-prompt-injection-github-actions/ illustrated this precisely: a compromised publish token, a postinstall script, and an eight-hour window were all it took to land unauthorized software on 4,000 developer machines. No one had to click anything. The agent handled it. What to Do Right Now The mitigations are not complicated. None of them are on by default. For your pipelines: - Commit your lockfile package-lock.json , poetry.lock to source control and run npm ci instead of npm install in CI/CD — this installs from the lockfile exactly with no room for surprise packages - Enable hash verification on all dependency installations - Run new packages through a behavioral analysis tool like Socket.dev https://socket.dev or Snyk before installing For your AI agents: - Restrict agent permissions — do not grant unrestricted shell or exec access - Implement an explicit package allowlist: any agent-recommended package not on the list requires human review before installation - Use npm install --ignore-scripts to prevent post-install scripts from executing automatically Install from lockfile only — no deviations npm ci Block post-install scripts from executing on install npm install --ignore-scripts Scan before you install with Socket npx socket npm install