惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The GitHub Blog
The GitHub Blog
K
Kaspersky official blog
Stack Overflow Blog
Stack Overflow Blog
Blog — PlanetScale
Blog — PlanetScale
Recorded Future
Recorded Future
Engineering at Meta
Engineering at Meta
U
Unit 42
D
Docker
I
InfoQ
D
DataBreaches.Net
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
C
Check Point Blog
The Cloudflare Blog
美团技术团队
V
Vulnerabilities – Threatpost
博客园_首页
T
Threat Research - Cisco Blogs
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
A
Arctic Wolf
IT之家
IT之家
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Troy Hunt's Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
人人都是产品经理
人人都是产品经理
C
Cyber Attacks, Cyber Crime and Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Security Archives - TechRepublic
Security Archives - TechRepublic
S
Schneier on Security
Apple Machine Learning Research
Apple Machine Learning Research
MyScale Blog
MyScale Blog
P
Privacy International News Feed
云风的 BLOG
云风的 BLOG
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Blog of Author Tim Ferriss
GbyAI
GbyAI
The Last Watchdog
The Last Watchdog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
aimingoo的专栏
aimingoo的专栏
P
Proofpoint News Feed
The Register - Security
The Register - Security
博客园 - 三生石上(FineUI控件)
Forbes - Security
Forbes - Security
NISL@THU
NISL@THU
Y
Y Combinator Blog
T
Threatpost
Microsoft Azure Blog
Microsoft Azure Blog
L
Lohrmann on Cybersecurity

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Slopsquatting: The AI Package Hallucination Attack You're Probably Not Defending Against
Cor E · 2026-05-03 · via DEV Community

I was doing my TryHackMe training this morning, working through the OWASP LLM Top 10 for 2025, when I hit LLM09:2025 — Misinformation. I thought I had this one covered with Sentinel, my AI security proxy. Misinformation detection, hallucination flagging — I'd mapped all of it.

Then I went deeper and hit something I hadn't explicitly named: package hallucination. I'd seen it happen. I'd caught it myself because I know PyPI well enough to recognize when a package name smells wrong. But if I hadn't? I'd have installed someone else's malware.

This is the attack the security community has started calling slopsquatting, and it's live in the wild right now.


What OWASP LLM09:2025 Actually Says

LLM09 covers the risk of AI-generated content that is factually incorrect, misleading, or fabricated — and the downstream consequences when people or systems act on it without verification.

Most people read this as: "the AI made up a fact."

The real threat surface is much wider. LLMs don't just hallucinate facts. They hallucinate code, APIs, configurations, and package names. When those hallucinations get trusted and executed, the consequences aren't just wrong answers — they're exploitable attack vectors.

Package hallucination is one of the most dangerous expressions of LLM09 because:

  1. The hallucinated output looks completely plausible
  2. Developers have been trained to trust and execute install commands without much scrutiny
  3. Attackers have already automated the process of finding and registering the names LLMs hallucinate most consistently

The Attack Chain: Slopsquatting

The name was coined by Seth Larson of the Python Software Foundation in April 2025. Slop as in low-quality AI output. Squatting as in claiming a name for hostile purposes.

Here's how it works:

Step 1 — The Hallucination

A developer asks an LLM to help connect a Python app to a less-common API. The model doesn't have a clean answer, but it doesn't say that. Instead, it pattern-matches from its training data:

"You can use pip install starlette-reverse-proxy for this."

The package name is plausible. It follows the naming conventions of the Starlette ecosystem perfectly. The developer has no reason to doubt it.

Step 2 — The Squatting

Attackers have already run thousands of prompts against popular models, harvested the package names that appear consistently across runs, and registered them on PyPI or npm.

A 2025 USENIX Security paper found that 43% of hallucinated package names reappear on every single run of the same prompt. The hallucinations aren't random — they're targetable and predictable.

Step 3 — The Infection

pip install starlette-reverse-proxy
# Running setup.py install...
# [your credentials are already gone]

Enter fullscreen mode Exit fullscreen mode

The post-install script executes. Environment variables, API keys, AWS tokens, SSH keys — anything sitting in the shell environment gets exfiltrated. Some packages skip the malicious code entirely and use pip's support for URL-based dependencies to fetch the payload from an external server at install time, keeping the package itself clean for scanners.

Step 4 — Scale

The researcher Bar Lanyado registered huggingface-cli as an empty test package after watching GPT consistently recommend it. Within three months: 30,000 downloads. Alibaba copy-pasted the fake install command directly into their own public documentation. The hallucination cascades downstream before anyone catches it.


Why This Is Harder to Catch Than It Looks

Your first instinct might be: just verify the package exists before installing it.

That's necessary, but not sufficient. Here's why:

Download count is not a reliable signal. Malicious packages accumulate real downloads — both from victims and from the attacker's own bots inflating the count to pass automated checks.

The cross-ecosystem confusion attack is subtle. Nearly 9% of Python package names hallucinated by models turn out to be valid JavaScript packages. LLMs trained on multi-language data bleed recommendations across ecosystems. A real npm package suggested for a Python project sounds completely legitimate.

Attackers move fast. They've automated both the hallucination harvesting and the registration. By the time a name starts appearing in developer searches or Stack Overflow answers, it may already be squatted.

Agentic pipelines have no human in the loop. When your AI coding agent or CI pipeline can autonomously run pip install, the verification step a human would normally perform is simply absent.


Where Sentinel Sits in This Problem

Sentinel is an AI security proxy — it sits between your application and the LLM, analyzing both what goes in and what comes out. It already handles prompt injection detection, content neutralization, and several other LLM09-adjacent threats through a multi-tier detection pipeline.

The slopsquatting vector is interesting because it's a response-side problem. The attack doesn't live in the prompt — it lives in the LLM's output, in the form of an install command that looks completely legitimate.

Sentinel is already in the response path. That's the structural advantage. The question was: what does it check against?

That's what I built this morning.


Introducing SlopScan

SlopScan is a lightweight FastAPI micro-service that scores AI-suggested packages for trustworthiness before they get installed. It's free, open source (Apache 2.0), and designed to be queried by AI agents, proxy layers like Sentinel, or directly from CI pipelines.

How the Scoring Works

Every package check runs four signals, weighted into a single trust score (0–100):

Signal Weight What it catches
Package age 30% Packages registered last week have near-zero score
Download count 25% Real packages have real usage histories
Version count 15% One release = no maintenance history
Maintainer age 15% Brand new publisher account = red flag
Cross-ecosystem hit 15% Real npm package suggested for Python? Flag it.

Risk levels: SAFE (≥75) | CAUTION (≥50) | SUSPICIOUS (≥25) | DANGEROUS (<25)

Try It Locally in Two Minutes

git clone https://github.com/c0ri/SlopScan.git
cd SlopScan
pip install -r requirements.txt
uvicorn main:app --host 0.0.0.0 --port 8765 --reload

Enter fullscreen mode Exit fullscreen mode

Single Package Check

curl http://localhost:8765/check/pypi/requests

Enter fullscreen mode Exit fullscreen mode

{
  "package": "requests",
  "ecosystem": "pypi",
  "found": true,
  "trust_score": 97,
  "risk": "SAFE",
  "flags": [],
  "metadata": {
    "age_days": 5200,
    "version_count": 48,
    "author": "Kenneth Reitz"
  }
}

Enter fullscreen mode Exit fullscreen mode

Now the hallucinated one from the Trend Micro research:

curl http://localhost:8765/check/pypi/starlette-reverse-proxy

Enter fullscreen mode Exit fullscreen mode

{
  "package": "starlette-reverse-proxy",
  "ecosystem": "pypi",
  "found": false,
  "trust_score": 0,
  "risk": "DANGEROUS",
  "flags": ["Package does not exist in registry — likely hallucinated"]
}

Enter fullscreen mode Exit fullscreen mode

Batch Check

Perfect for scanning a full requirements.txt or a set of agent-generated dependencies:

curl -X POST http://localhost:8765/check/batch \
  -H "Content-Type: application/json" \
  -d '{
    "packages": [
      {"ecosystem": "pypi", "name": "requests"},
      {"ecosystem": "npm",  "name": "lodash"},
      {"ecosystem": "pypi", "name": "starlette-reverse-proxy"}
    ]
  }'

Enter fullscreen mode Exit fullscreen mode

{
  "results": [...],
  "summary": {
    "total": 3,
    "safe": 2,
    "caution": 0,
    "suspicious": 0,
    "dangerous": 1
  }
}

Enter fullscreen mode Exit fullscreen mode

Wiring It Into Sentinel (or Your Own Proxy)

import re
import httpx

INSTALL_PATTERN = re.compile(
    r'pip install ([a-zA-Z0-9_\-\.]+)|'
    r'npm install ([@a-zA-Z0-9_\-\/\.]+)|'
    r'import ([a-zA-Z0-9_]+)|'
    r'require\([\'"]([a-zA-Z0-9_\-@\/]+)[\'"]\)'
)

async def check_llm_response(response_text: str):
    packages = extract_packages(response_text)  # regex over INSTALL_PATTERN

    async with httpx.AsyncClient() as client:
        for pkg in packages:
            result = await client.get(
                f"http://slopscan:8765/check/{pkg.ecosystem}/{pkg.name}"
            )
            score = result.json()

            if score["risk"] in ("SUSPICIOUS", "DANGEROUS"):
                # Flag in Sentinel, block agentic install, alert the user
                sentinel.flag(
                    response_text,
                    reason=f"Slopsquatting risk detected: {pkg.name}",
                    details=score
                )

Enter fullscreen mode Exit fullscreen mode


What's Next for SlopScan

This is v0.1 — functional, tested against live registries, and ready to be useful right now. The roadmap has clear targets for where community contributions can take it:

  • Tier 3 — Hallucination fingerprint database: systematically prompt popular models, harvest the names that appear consistently, build a known-bad blocklist. The 43% repeatability stat makes this highly effective.
  • Real download counts via pypistats.org and the npm downloads API (current version uses estimates)
  • GitHub signal integration: stars, last commit date, organization ownership — hard signals that legitimate packages have and squatters don't
  • Additional ecosystems: crates.io, RubyGems, NuGet — each is ~30 lines following the same fetcher pattern
  • Redis cache backend for multi-instance deployments
  • Docker image on Docker Hub

The Bigger Picture

Slopsquatting sits at the intersection of two trends that aren't going away: AI coding assistants getting more autonomous, and the software supply chain remaining a high-value attack surface.

The numbers are stark. Around 20% of AI-generated code references packages that don't exist. Attackers have automated the harvesting of those names. The huggingface-cli experiment showed 30,000 downloads for an empty package registered by a researcher — imagine what a motivated attacker does with the same playbook.

The defense doesn't require abandoning AI-assisted development. It requires treating autonomous package installation as a privileged operation and adding a verification step where humans are no longer in the loop to provide one naturally.

SlopScan is one piece of that. Sentinel is the broader layer. Both are free to use, and SlopScan is free to contribute to.

If you build on it, find a bug, or want to add an ecosystem — PRs are open.

github.com/c0ri/SlopScan


Cori is a network architect and IT Solutions Architect with 30+ years of automation and security experience. He is the founder of Skyblue and the creator of Sentinel-Proxy AI Firewall, an AI security proxy.