Then LLMs can’t just make up software dependency, they will sabotage everything and kill all.
4 min read
The emergence of LLM-powered code generation tools is changing the way developers write software – and adding new risks to the process’s software supply chain.
As with large language models, these AI coding assistants tend to hallucinate.’ They suggest code that includes software packages which do not exist.
Security researchers have concluded that AI code assistants invent package names as we noted last March and September last year, a recent study found about 5.2 percent of package suggestions from commercial models did not exist, while 21.7 percent were available for the same model.
A running that code should cause an error when importing a non-existent package, but miscreants have discovered they hijack the hallucination for their own gain.
It is necessary to create a malicious software package under ‘hallucinated Package Name’ and then upload the bad package to. packages (file name) or index like PyPI or npm for distribution; thereafter, when an AI code assistant re-hallucinates its co-opted name, the process of installing dependencies as well as running the code will run the malware.
The recurrence seems to be in a bimodal pattern: when prompts are repeated, some hallucinated names appear repeatedly; others vanish entirely – suggesting that certain promptings reliably produce the same phantom packages.
Security firm Socket recently noted that research researchers who studied the subject last year found that re-running the same hallucination-triggering prompt ten times led to 43 percent of halludinal packages being repeated every time and 39 percent never reappearing.
Using the term “slop” (a common pejorative for AI model output) is like exploring hallucinated package names, where variations or misspellings of commonly used terms are used to dupe people. Seth Michael Larson, security developer-in-residence at the Python Software Foundation, has called it “Slopsquatting” – “slope” as well as being ‘slapped’ in order to be an example of what would have been considered a typical case with respect to its name and/or
But we’re looking at this problem from an ecosystem level, and probably impossible,” Larson told The Register: ‘It’s hard to measure how many attempted installs are being made because of LLM hallucinations that don’t require more transparency from LLLM providers. Users of the code generated by LLC (the only ones with no real-world consequences) should double-check their outputs before they put any of those information into operation or otherwise there can be “real-life consequences.”
Larson added that there are “so many reasons why a developer may try to install ‘necessary’ package (including mistyping the package name), incorrectly installing internal packages without checking whether those names already exist in – or not, differences in the product name and the module name) and so on.”
Feross Aboukhadijeh, chief executive of security firm Socket, told The Register: ‘I’m seeing the AI tools become default assistant for many.’ Developers call on the ‘vibe coding’ and prompt the algorithm to be an AI, copy the suggestion and move on; or worse, the artificial agent just goes ahead and installs the recommended packages itself.
The problem is, these code suggestions often include hallucinated package names that sound real but don’t exist
It’s a problem, these code suggestions often include real-life hallucinated package names.’ I have seen this firsthand. You pasted the name in your terminal and it doesn’t work (or worse, because someone has slop-squatted that exact package name).
Aboukhadijeh said these fake packages can look very convincing.
He said: ‘We sometimes find realistic looking READMEs, fake GitHub repos and even sketchy blogs that make the package look real when we investigate,” adding Socket’s security scans will catch these packages because they analyze how the code works.
The world we live in: AI hallucinated packages are validated and rubber-stamped by another AI that is too eager to be helpful.
When you Google one of these slop-squatted package names, “I’m always getting an AI-generated summary from Google itself that says it’s useful, stable, well-maintained. It’ll be parroting the package’–it’d its own README, no recollection, No context. To a developer in rushing to prove legitimacy.
The phrase: “What is our world”: AI hallucinated packages are validated and rubber-stamped by another AI that’s too eager to be helpful.
Aboukhadijeh has cited an incident in January where Google’s AI Overview (which responds to search queries with AI-generated text) suggested a malicious ‘npm package @Atymc–mutex/Mug, which was the typosquatting of legitimate package async—mutEx.
Similarly, one threat actor with the name “_Iain” recently published a playbook on he said: ‘A dark web forum was also created about how to create ‘block block-based botnet using malicious npm packages’.
Aboukhadijeh said that _Iain “automated the creation of thousands of typo-squatted packages (many targeting crypto libraries) and even ChatGPT, which generated realistic-sounding variants of real package names at scale” video tutorials walking others through the process: from publishing the packages to running payloads on infected machines via a GUI. It’s an example of how attackers are weaponizing AI to accelerate software supply chain attacks.
Larson said the Python Software Foundation is “working all the time and resources that adds such work to make package abuse more difficult.”
His work, which has been sponsored by Mike Fiedler, our PyPI Safety & Security Engineer, is “a part of the efforts to help reduce the risk of malware on PyPi (McA) — using an programmatic API to report malware; working with existing malware reporting teams and better detections for typo-squatting of top projects,” he said.
In general, users of PyPI and package managers should be checking that the package they are installing is an existing well-known package, there’s no typo in the name; “the content of the product has been reviewed before installation” (even if it was previously installed) or organizations can mirror a subset of PythonPI within their own organizations to have much more control over which packages were available for developers.”
Get our Tech Resources