Home Content News Slopsquatting Bypasses Typosquatting Defences In Open Source

Slopsquatting Bypasses Typosquatting Defences In Open Source

0
1
Image for representation purpose
Slopsquatting - Image for representation purpose

A new AI-driven supply chain attack, slopsquatting, lets cybercriminals weaponise hallucinated open source package names, exposing organisations using AI-assisted coding to malware and highlighting the need for stronger dependency verification.

A newly identified software supply chain attack dubbed slopsquatting is exposing the open-source ecosystem to malware by exploiting hallucinated package names generated by AI coding assistants. Instead of relying on misspelled package names like traditional typosquatting, attackers register fictitious package names repeatedly suggested by large language models (LLMs) and populate them with malicious code.

During AI-assisted coding, developers may unknowingly install these fake packages, allowing malware to enter projects from the earliest stages of development. Since package registries primarily defend against typosquatting, they often fail to detect believable hallucinated names, creating a significant gap in open-source software supply chain security.

The risk is amplified because LLMs tend to generate the same hallucinated package names, enabling attackers to compromise many developers by registering relatively few fake packages. These malicious dependencies can remain undetected in production environments for extended periods.

Research cited in the analysis found vulnerabilities across open-source packages are growing by 98% annually, while package growth stands at 25%, with average vulnerability lifespans increasing by 85%. Another study analysing 576,000 AI-generated code samples found 19.7% of package references were hallucinated. GPT-4.0 Turbo recorded a 3.59% hallucination rate, while DeepSeek 1B reached 13.63%.

With developers estimating that over 40% of committed code already involves AI assistance and 72% using AI daily, organisations are urged to verify AI-recommended packages against official repositories, automate dependency validation, monitor unusual package installations and maintain current threat intelligence on slopsquatting campaigns.

LEAVE A REPLY

Please enter your comment!
Please enter your name here