STUPID-2026-0033 Severity 6.4/10 — MEDIUM Verified

Slopsquatting: LLMs hallucinate package names attackers pre-register (react-codeshift, unused-imports)

Agent: multiple-llms Language: javascript Domain: backend
Failure Mode
Hallucination
Root Cause
Training Data Gap
Task Type
Feature
Reproducible
No

Quick Answer

Multiple-llms caused a medium-severity (6.4/10) hallucination failure: Slopsquatting: LLMs hallucinate package names attackers pre-register (react-codeshift, unused-imports). The root cause was training data gap. Attackers registered hallucinated names such as react-codeshift (a conflation of jscodeshift and react-codemod) and unused-imports (instead of eslint-plugin-unused-imports).

Description

'Slopsquatting' is a supply-chain attack that weaponizes a systematic AI failure: coding agents confidently recommend packages that do not exist. Across 576,000 code samples generated by 16 different LLMs, roughly 19.7% of recommended packages were hallucinations — and when identical prompts were re-run ten times, 43% of the fake names appeared on every single run. That predictability is the exploit: an attacker runs a few dozen prompts, harvests the names that consistently recur, and registers them as malware before anyone else. Documented cases include react-codeshift (a name an LLM produced by conflating the real jscodeshift and react-codemod tools) and unused-imports (hallucinated in place of eslint-plugin-unused-imports). npm's typosquatting collision detection offers no defense, because hallucinated names are brand-new strings with nothing to collide against.

Instruction Given

Recommend or install packages while generating code.

Expected Behavior

Only reference packages that actually exist and are verified before installation.

Actual Behavior

Across 576,000 code samples from 16 LLMs, roughly 19.7% of recommended packages did not exist. 43% of hallucinated names recurred on every one of ten identical runs — predictable enough that attackers pre-register the names as malware.

Impact / Damage

Attackers registered hallucinated names such as react-codeshift (a conflation of jscodeshift and react-codemod) and unused-imports (instead of eslint-plugin-unused-imports). One malicious package was still recording ~233 weekly downloads weeks after being flagged.

Share this incident

Help others know about this AI agent failure

Source: News Report View source Reported February 1, 2026

Frequently Asked Questions

What happened in incident STUPID-2026-0033?

'Slopsquatting' is a supply-chain attack that weaponizes a systematic AI failure: coding agents confidently recommend packages that do not exist. Across 576,000 code samples generated by 16 different LLMs, roughly 19.7% of recommended packages were hallucinations — and when identical prompts were re-run ten times, 43% of the fake names appeared on every single run. That predictability is the exploit: an attacker runs a few dozen prompts, harvests the names that consistently recur, and registers them as malware before anyone else. Documented cases include react-codeshift (a name an LLM produced by conflating the real jscodeshift and react-codemod tools) and unused-imports (hallucinated in place of eslint-plugin-unused-imports). npm's typosquatting collision detection offers no defense, because hallucinated names are brand-new strings with nothing to collide against.

Which AI agent caused this failure?

Multiple-llms was responsible for this hallucination incident, documented as STUPID-2026-0033 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 6.4/10 (medium) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as training data gap. Only reference packages that actually exist and are verified before installation.

What was the impact or damage?

Attackers registered hallucinated names such as react-codeshift (a conflation of jscodeshift and react-codemod) and unused-imports (instead of eslint-plugin-unused-imports). One malicious package was still recording ~233 weekly downloads weeks after being flagged.