#slopsquatting — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #slopsquatting, aggregated by home.social.
-
#AI #code often includes references to non-existent dependencies. These references are commonly called “#hallucinations”. A new type of #attack has arisen that involves an attacker registering a package whose name is frequently hallucinated. When AI code containing this #hallucination is accepted, and this dependency is installed, the attacker can ship #malicious code into the project’s build, introducing a major #security vulnerability. This type of attack has become known as “#slopsquatting”.
-
Фантазии LLM воплощаются в реальности — фальшивые опенсорсные библиотеки
LLM придумывает названия несуществующих библиотек и предлагает разработчикам-вайбкодерам пользоваться ими. Если есть спрос — возникнет и предложение. Вскоре эти библиотеки действительно появляются в реальности , но уже с вредоносным кодом.
https://habr.com/ru/companies/globalsign/articles/946872/
#llm #галлюцинации #slopsquatting #генерация_кода #фальшивки
-
**Check this out: techno feudalism, chatons, slopsquatting and more (9. 8. 2025)**
- The future is not self-hosted: https://www.drewlyton.com/story/the-future-is-not-self-hosted
(Self-sustainable organic farms (and self-hosted IT stuff) are a nice idea, but they are difficult to maintain in ‘island mode’. Are community owned shared data servers a solution?)
(Examples of community data servers in France)
- Your first FOSS contribution: https://collaboraonline.github.io/post/easyhacks/
(If you’re masochistic enough to join FOSS development and don’t know where to start, well, you can do it here. A list of open issues that are ‘easy’ solvable.)
- Slopsquatting: https://en.wikipedia.org/wiki/Slopsquatting
(If you’re using LLM for code generation and then you install a non-existing library (that is hosted by the attacker), well, it’s your own fault.)
- Home Assistant and 433Mhz devices: https://www.wswapps.com/books/home-assistant/page/433-mhz-devices
(You want to see what are your neighbours’ devices, like garage opener, up to? )
- Nice fonts – 7 and 14-segment display: https://www.keshikan.net/fonts-e.html
(You never know when you need retro-style display fonts)
- Replace your Windows 10 with Linux, https://endof10.org/
(Windows 10 support is running out soon. Don’t buy a new computer, shoot yourself in the foot with a Linux! You will limp, but you’ll be free from mass-scale espionage.)
- How to detect AI writing: https://en.wikipedia.org/wiki/Wikipedia:Signs_of_AI_writing
(Forget AI detector tools, hoomanz are also able to detect AI slop. Actually, the signs of slop are pretty straight forward. AI sounds like you listened to a hyped ultra positive grifter salesman/politician)
https://blog.rozman.info/check-this-out-techno-feudalism-chatons-slopsquatting-and-more-9-8-2025/
-
#Slopsquatting: nabbing nonexistent names AI chatbots likely to hallucinate - https://boingboing.net/2025/08/06/slopsquatting-nabbing-nonexistent-names-ai-chatbots-likely-to-hallucinate.html
-
"#Slopsquatting is a type of #cybersquatting. It is the practice of registering a non-existent software package name that a large language model (#LLM) may hallucinate in its output, whereby someone unknowingly may copy-paste and install the #software package without realizing it is #fake."
-
#LLM can't stop making up software dependencies and sabotaging everything
Hallucinated package names fuel '#slopsquatting'
As #AI #coding assistants invent nonexistent software libraries to download and use, enterprising attackers create and upload libraries with those names—laced with #malware, of course.
https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/ -
📢 AI coding tools are creating silent vulnerabilities through "slopsquatting"—where attackers register package names hallucinated by AI.
This attack vector “exploits vibecoding" (using AI without review) and specifically targets less technical developers.#AISecurityRisks #Slopsquatting #VibeCoding #SecureCoding #CyberSecurity
-
Curious about the buzzwords shaping the future of AI?
From vibe coding to ‘slopsquatting’, we're breaking down what these mean and their impact on tech and cybersecurity. Check out the latest @sharedsecurity episode for insights!
Watch on YouTube:
https://youtu.be/vi7a9ciHPjgListen and subscribe to the podcast!
https://sharedsecurity.net/subscribe -
Researchers have uncovered a new supply chain attack called #Slopsquatting where threat actors exploit hallucinated, non-existent package names generated by #AI coding tools like #GPT4 and #CodeLlama
These believable yet fake packages (amounting to 19.7% or 205,000 packages), recommended in test samples were found to be fakes., can be registered by attackers to distribute malicious code.
Open-source models -- like #DeepSeek and #WizardCoder -- hallucinated more frequently, at 21.7% on average, compared to the commercial ones (5.2%) like GPT 4.
We Have a Package for You! A Comprehensive Analysis of Package Hallucinations
by Code Generating LLMs (PDF) https://arxiv.org/pdf/2406.10279 -
[Перевод] Когда ИИ становится троянским конем: 43% «галлюцинированных» имен пакетов регулярно повторяются в сгенерированном коде
AI-помощники регулярно "галлюцинируют" несуществующие пакеты, а злоумышленники используют эти имена для размещения вредоносного кода в репозиториях. Исследования показывают, что 5.2% рекомендаций пакетов от коммерческих моделей не существуют, а для open-source моделей этот показатель достигает 21.7%. Эта техника, названная "слопсквоттингом" (slopsquatting), особенно опасна в эпоху "vibe coding", когда разработчики безоговорочно доверяют рекомендациям AI.
https://habr.com/ru/articles/901198/
#искусственный_интеллект #кибербезопасность #slopsquatting #разработка #галлюцинации_ии #npm #pypi #vibecoding
-
“Users of LLM generated code, packages, and information should be double-checking LLM outputs against reality before putting any of that information into operation, otherwise there can be real-world consequences.”
https://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/
h/t @macmanx #slopsquatting #TheMoreYouKnow -
New “Slopsquatting” Threat Emerges from AI-Generated Code Hallucinations – Source:hackread.com https://ciso2ciso.com/new-slopsquatting-threat-emerges-from-ai-generated-code-hallucinations-sourcehackread-com/ #1CyberSecurityNewsPost #artificialintelligence #CyberSecurityNews #cybersecurity #Hallucination #Slopsquatting #Typosquatting #Hackread #security #LLM #AI
-
JFC.
“All that's required is to create a malicious software package under a hallucinated package name and then upload the bad package to a package registry or index like PyPI or npm for distribution. Thereafter, when an AI code assistant re-hallucinates the co-opted name, the process of installing dependencies and executing the code will run the malware.”
#fuckaroundandfindout
#slopsquattinghttps://www.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/
-
New supply chain attacks called "slopsquatting" in AI coding attempts to leverage AI models tendency to hallucinate non-existent package names.
Research indicates roughly 20% of the sampled Python and JavaScript code samples recommended packages didn't exist.
https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/ #slopsquatting #hallucinations #AI #coding #supplychain #python #javascript #cybersecurity
-
https://www.theregister.com/AMP/2025/04/12/ai_code_suggestions_sabotage_supply_chain/
create a malicious software package under a hallucinated package name and then upload the bad package…when an #AIcodeassistant re-hallucinates the co-opted name, the process of installing dependencies and executing the code will run the #malware…
…a form of typosquatting, where variations or misspellings of common terms are used to dupe people. Seth Michael Larson, #Python Software Foundation, has dubbed it #slopsquatting – "slop" being a common pejorative for AI output