What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Supply-Chain

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/6/2026

Slopsquatting: How AI Agents Are Hallucinating Dependencies Into Real Supply-Chain Attacks

TL;DR

AI coding agents now hallucinate non-existent package names, and attackers are squatting on those fake packages to achieve real code execution. A researcher registered a fake npm package that an LLM invented and watched it spread to 237 GitHub repos with live download attempts. This reveals a novel supply-chain attack surface: slopsquatting.

What Happened

In January 2026, security researcher Charlie Eriksen from Aikido Security published a proof-of-concept that exposed a fundamental flaw in how AI agents interact with package registries: they fabricate dependencies that don't exist.

Eriksen's setup was simple. A vibe-coded collection of "agent skills" (markdown/JSON instruction files for AI agents) contained two tasks: react-modernization and dependency-upgrade. Both invoked a package called react-codeshift via npx.

The problem: react-codeshift never existed. An LLM hallucinated it.

When Eriksen registered the dormant npm package as a proof of concept, something remarkable happened: real download attempts flooded in. The skill files had spread to 237 GitHub repositories, and AI agents were autonomously trying to install Eriksen's fake package.

"The supply chain just got a new link, made of LLM dreams," Eriksen said. "This was a hallucination. It spread to 237 repositories. It generated real download attempts. The only reason it didn't become an attack vector is because I got there first."

Technical Details

The Attack Chain

1. Agent Skill Generation: Developers create markdown/JSON instruction files ("agent skills") that teach AI agents how to perform tasks like code migration.

2. LLM Hallucination: When writing code examples or package references, coding LLMs (Claude, GPT, etc.) invent plausible-sounding package names that don't actually exist.

3. Skill Propagation: These skills spread across GitHub, cloned and modified by other developers.

4. Autonomous Installation: When another AI agent encounters these skills, it attempts to autonomously execute them—including installing the hallucinated dependency via npx or other Node.js package managers.

5. Registry Exploitation: Attackers pre-register common hallucinated names on npm, PyPI, and other registries, waiting for AI agents to stumble into their trap.

The Landscape: PromptMink Campaign

This threat isn't theoretical. The PromptMink campaign (attributed to Famous Chollima, a North Korean APT group) has been weaponizing LLM knowledge injection for months:

Bait packages: Legitimate-looking cryptocurrency libraries (@solana-launchpad/sdk, @validate-ethereum-address/core) with detailed READMEs designed to appeal to—or be discovered by—LLM agents.
Hidden malware: Secondary dependencies (e.g., hash-validator) contain JavaScript infostealers.
Evolution: Attackers evolved from self-contained Node.js executables (100MB+) to Rust-compiled NAPI-RS add-ons to reduce detection surface.
Autonomous proof: Researchers found Claude Opus had autonomously committed the @solana-launchpad/sdk malware to a legitimate Solana hackathon project.

Why This Breaks Existing Defenses

Traditional supply-chain security assumes an attacker either:

1. Compromises an existing package maintainer (e.g., typosquatting, social engineering), or

2. Publishes a malicious package and waits for human developers to discover it.

Slopsquatting inverts this: attackers don't need to trick humans—they let AI agents do it automatically. And unlike human discovery (which requires visibility, trust, and time), autonomous agents will install anything their training suggests is legitimate.

Lyrie Assessment

This attack vector directly threatens three of Lyrie.ai's core concerns:

1. Autonomous Agent Governance

If your CI/CD agents, code review bots, or development AI tools are running unsandboxed and can autonomously install npm/PyPI packages, you have a slopsquatting-shaped hole in your supply-chain defense. Lyrie's autonomous cyber operations platform already grapples with this: every agent that touches package registries becomes a potential infection vector.

2. The Hallucination-to-Exploitation Pipeline

This attack exploits a fundamental gap: LLMs hallucinate confidently. They generate plausible code that references non-existent packages. If your organization relies on AI coding assistants (Cursor, GitHub Copilot, Claude Code) for development, you're already seeding hallucinated dependencies into your codebase. The question is whether attackers are squatting on them.

3. Defense Economics Have Changed

Traditional supply-chain defense relied on code review, dependency auditing, and human scrutiny of package.json changes. Slopsquatting breaks this model because:

The hallucination is legitimate-looking (LLM-generated code is convincing).
The installation is autonomous (no human approval needed).
The registry compromise is silent (no maintainer breach signal).
The attack is massively parallelizable (one hallucination can infect thousands of repos).

Recommended Actions

Immediate (This Week)

Audit agent skill repositories: Search GitHub for agent skill files that reference external packages. Treat hallucinated package names as potential attack vectors.
Lock AI agent registries: If you use Claude, Copilot, or other coding agents in production CI/CD, restrict them to allow-listed npm/PyPI packages only.
Enable npm provenance verification: Use npm audit --production with npm's provenance checks to detect unsigned or suspicious packages.

Short-term (This Month)

SBOM everything: Implement Software Bill of Materials (SBOM) generation for all AI agent-generated code. Track every transitive dependency.
Manual approval gates: Require human approval before any AI agent installs new packages, even in dev environments.
Agent skill review: Audit all agent skills in your organization. Remove or pin versions of any skills that reference external packages.

Strategic (This Quarter)

Sandbox AI agents: Isolate code-generation agents from production registries. Use air-gapped or proxy-based package installs.
Monitor for hallucination patterns: Integrate Lyrie.ai's threat intelligence with your development pipeline to flag packages that match common LLM hallucination patterns (e.g., plausible but nonexistent crypto/web3 libraries).
Five Eyes guidance: Implement the CISA-NSA-Five Eyes recommendations on agentic AI security. The agencies explicitly warned: "Poor or deliberately misleading tool descriptions can cause agents to select tools unreliably, with persuasive descriptions chosen more often."