Slop Snake Oil
Fraudulent products have existed as long as human beings have wanted to cut corners to get something cheaply and easily. And as long as producers of said fraudulent products have wanted to make a profit by exploiting someone else’s need. Watch any late night television ad and count how many allegedly medicinal products there are for sale, claiming to work just as well as real thing at a fraction of the cost. ‘But wait, there’s more!’ these ads invariably claim, an enticement to get gullible consumers to buy more. At the consumer level, it’s a gamble as to whether those products will be harmless placebos or something that will make one sick. They are the modern equivalent to snake oil salesmen.
Enter the digital age, where instead of selling fake remedies for what ails us, we have open source npm’s that don’t actually exist, but nevertheless are being integrated into development trees. Some are ‘harmless’, in the sense that they go nowhere. They are usually the result of a typo, a misspelling of some legitimate package that somehow end up being registered anyway. Typosquatting, the process of registering a malicious package with a name close enough to a popular package that a user will typo their way into it, is a known tactic of threat actors. Package managers like npm have protections in place to prevent these from reaching public repositories by not allowing them to be registered with names that are too similar to existing ones.
Now we have AI, and a novel form of typosquatting: slopsquatting. Instead of relying on human error when typing in a name, LLM’s are creating fake package names, either by conflating existing ones, typo variants, or straight up fabrication (a whopping 50% of the time this occurs, according to Aikido Security). The trouble with slopsquatting is many AI tools bypass the need for human confirmation, meaning there is no oversight to halt what they are hallucinating from becoming tangible. And threat actors are taking advantage of that to infect this vastly larger pool of fake package names. Worse yet, npm’s preventative protections are also bypassed, since none of the AI created names ping the system as being similar to already registered ones.
Aikido states that they are seeing instances of slopsquatting in the wild, although thus far it’s been hard to definitively prove what the intentions are in exploiting them. Malware-as-a-service would be my guess. The framework is there, their article details some examples, including one that the AI tool seems to have invented wholecloth called ‘react-codeshift’. No one wrote or registered it, but it has shown up in AI infrastructure, and developers have tried to download it. Aikido suspects an AI assistant tool was asked to generate a set of coding agent instructions, and made one up to fulfill the request. No review or testing of the output happened, and it was immortalized via GitHub because it wasn’t caught. It’s a conflation of two existing packages, the name merely mashed together to create a plausible looking new one. By the time it was found, it had made its way into over 200 repositories and translated into Japanese. It’s sheer chance that researchers found it before threat actors did. It’s not likely to be the last time something like this happens.
As with most exploitations, user caution goes a long way towards prevention. Verifying the publisher is a more reliable metric than simply looking at download numbers. Make sure that package claiming to be a plugin has maintainer information and isn’t just something that popped up suddenly last week. Limit the amount of autonomy and permissions AI tools have so they aren’t bypassing human authority in broad privilege situations. Be aware of the dependencies in development trees, since some of these fake packages are nested inside them rather than direct installations. And remember, if it looks too good to be true, it probably is.
Posted, 2/23/26















