AI-Hallucinated Code Dependencies: A New Frontier in Software Supply Chain Security

AI-hallucinated code dependencies are reshaping the landscape of software supply chain security. As generative AI tools become more prevalent in coding, they bring with them the risk of “hallucinating” non-existent package names, a phenomenon known as “slopsquatting” (BleepingComputer). Unlike traditional typosquatting, which exploits human error, slopsquatting leverages the AI’s tendency to invent plausible yet fictitious package names. This emerging threat underscores the need for robust security measures in AI-assisted software development.

Understanding AI-Hallucinated Code Dependencies

The Emergence of AI-Hallucinated Dependencies

AI-hallucinated code dependencies have emerged as a significant concern in the software supply chain, primarily due to the increased use of generative AI tools for coding. These tools, while powerful, have a tendency to “hallucinate” or generate non-existent package names. This phenomenon, termed “slopsquatting,” poses a new class of supply chain attacks (BleepingComputer). Unlike traditional typosquatting, which relies on misspellings to trick developers into installing malicious packages, slopsquatting exploits the AI’s propensity to invent plausible yet non-existent package names.

Mechanisms of AI-Induced Hallucinations

The underlying mechanism of AI-induced hallucinations in code dependencies involves the AI model’s response to prompts, where it generates package names that do not exist. Research indicates that these hallucinations are not random but repeatable artifacts of the model’s behavior. For instance, a study revealed that 58% of hallucinated packages were repeated across multiple runs, suggesting a predictable pattern that could be exploited by malicious actors (BleepingComputer).

Vulnerabilities in AI-Generated Code

AI-generated code is inherently vulnerable due to the complexity of evaluating its security. Existing research has shown that AI code generation models frequently produce insecure code under experimental conditions. The process of assessing the security of AI-generated code involves numerous interdependent variables, making it a challenging task (Center for Security and Emerging Technology). This complexity is compounded by the fact that hallucinated package names can be semantically plausible, creating a deceptive attack surface.

Impact on Open-Source and Commercial AI Models

The impact of hallucinated dependencies varies between open-source and commercial AI models. Open-source models like CodeLlama and DeepSeek exhibit higher hallucination rates, with approximately 21.7% of package suggestions being non-existent. In contrast, commercial models such as ChatGPT-4 have a lower hallucination rate of about 5.2% (The Register). Despite the lower rate, the occurrence of hallucinations in commercial models remains significant and poses a risk to the software supply chain.

Mitigation Strategies for AI-Hallucinated Dependencies

To mitigate the risks associated with AI-hallucinated dependencies, several strategies can be employed. One effective approach is the use of dependency scanners, lockfiles, and hash verification to pin packages to known, trusted versions (BleepingComputer). Additionally, lowering the AI model’s “temperature” settings can reduce the likelihood of hallucinations by decreasing randomness in the generated outputs.

Predictive Attack Surface and Future Implications

The predictability of hallucinated package names presents a concerning attack surface that could be easily weaponized. Researchers have warned that hallucinated package names are common and semantically plausible, making them attractive targets for malicious actors (BleepingComputer). The potential for these hallucinations to be exploited in supply chain attacks underscores the need for heightened vigilance and proactive security measures in AI-assisted software development workflows.

AI-Hallucinations and Software Supply Chain Security

The security implications of AI-hallucinated dependencies extend beyond immediate vulnerabilities. The arrival of autonomous or agentic AI is expected to exacerbate these challenges, as it will introduce even greater complexity into the software supply chain (Cloud Security Alliance). Organizations using generative AI must broaden their cybersecurity purview to anticipate and mitigate downstream threats originating from the AI software supply chain.

Evaluating AI Models and Hallucination Propensity

Evaluating the propensity of AI models to hallucinate package names is crucial for securing AI-assisted software development. An inverse correlation has been observed between package hallucination rates and the HumanEval coding benchmark, offering a heuristic for assessing model reliability (arXiv). This correlation provides a foundation for developing future models that are less prone to hallucinations and more secure against supply chain attacks.

The Role of Developers in Mitigating Risks

Developers play a critical role in mitigating the risks associated with AI-hallucinated dependencies. The tendency of programmers to trust AI-generated code without thorough validation makes them susceptible to package hallucination attacks (IDC Blog). By adopting best practices such as testing AI-generated code in isolated environments and verifying package authenticity, developers can reduce the likelihood of falling victim to these attacks.

Future Research and Development Directions

Future research and development efforts should focus on enhancing the security of AI-generated code and reducing hallucination rates. This includes exploring new methodologies for evaluating AI models, improving the accuracy of dependency suggestions, and developing tools to detect and prevent hallucinated package names. By addressing these challenges, the software development community can better safeguard against the evolving threat of AI-hallucinated code dependencies.

Final Thoughts

The rise of AI-hallucinated code dependencies presents a formidable challenge to software supply chain security. As AI models continue to evolve, so too do the risks associated with their use. The predictability of hallucinated package names offers a new attack vector for malicious actors, necessitating proactive security strategies (BleepingComputer). Developers and organizations must remain vigilant, employing best practices and innovative solutions to safeguard against these threats. The future of AI in software development hinges on our ability to mitigate these risks effectively.

References

• AI-hallucinated code dependencies become new supply chain risk, 2025, BleepingComputer https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/
• Cybersecurity risks of AI-generated code, 2025, Center for Security and Emerging Technology https://cset.georgetown.edu/publication/cybersecurity-risks-of-ai-generated-code/
• AI code suggestions sabotage supply chain, 2025, The Register https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/
• AI software supply chain risks prompt new corporate diligence, 2025, Cloud Security Alliance https://cloudsecurityalliance.org/blog/2025/03/31/ai-software-supply-chain-risks-prompt-new-corporate-diligence
• Package hallucination: The latest, greatest software supply chain security threat, 2024, IDC Blog https://blogs.idc.com/2024/04/22/package-hallucination-the-latest-greatest-software-supply-chain-security-threat/
• Evaluating AI models and hallucination propensity, 2025, arXiv https://arxiv.org/html/2501.19012v1