Skip to Content
logologo
AI Incident Database
Open TwitterOpen RSS FeedOpen FacebookOpen LinkedInOpen GitHub
Open Menu
Discover
Submit
  • Welcome to the AIID
  • Discover Incidents
  • Spatial View
  • Table View
  • List view
  • Entities
  • Taxonomies
  • Submit Incident Reports
  • Submission Leaderboard
  • Blog
  • AI News Digest
  • Risk Checklists
  • Random Incident
  • Sign Up
Collapse
Discover
Submit
  • Welcome to the AIID
  • Discover Incidents
  • Spatial View
  • Table View
  • List view
  • Entities
  • Taxonomies
  • Submit Incident Reports
  • Submission Leaderboard
  • Blog
  • AI News Digest
  • Risk Checklists
  • Random Incident
  • Sign Up
Collapse

Incident 731: Hallucinated Software Packages with Potential Malware Downloaded Thousands of Times by Developers

Description: Large language models are reportedly hallucinating software package names, some of which are uploaded to public repositories and integrated into real code. One such package, huggingface-cli, was downloaded over 15,000 times. This behavior enables "slopsquatting," a term coined by Seth Michael Larson of the Python Software Foundation, where attackers register fake packages under AI-invented names and put supply chains at serious risk.
Editor Notes: See Bar Lanyado's report at: https://www.lasso.security/blog/ai-package-hallucinations. See Spracklen, et al's preprint here, "We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs," here: https://arxiv.org/abs/2406.10279. See Zhou, et al's study, "Larger and more instructable language models become less reliable," here: https://doi.org/10.1038/s41586-024-07930-y.

Tools

New ReportNew ReportNew ResponseNew ResponseDiscoverDiscoverView HistoryView History

Entities

View all entities
Alleged: OpenAI , Google , Cohere , Meta , DeepSeek AI and BigScience developed an AI system deployed by Developers using AI-generated suggestions and Bar Lanyado, which harmed Developers and businesses incorporating AI-suggested packages , Alibaba , Organizations that incorporated fake dependencies , Software ecosystems , Users downstream of software contaminated by hallucinated packages and Trust in open-source repositories and AI-assisted coding tools.
Alleged implicated AI systems: LLM-powered coding assistants , ChatGPT 3.5 , ChatGPT 4 , Gemini Pro , Command , LLaMA , CodeLlama , DeepSeek Coder , BLOOM , Python Package Index (PyPI) , npm (Node.js) , GitHub and Google Search / AI Overview

Incident Stats

Incident ID
731
Report Count
4
Incident Date
2023-12-01
Editors
Daniel Atherton
Applied Taxonomies
MIT

MIT Taxonomy Classifications

Machine-Classified
Taxonomy Details

Risk Subdomain

A further 23 subdomains create an accessible and understandable classification of hazards and harms associated with AI
 

2.2. AI system security vulnerabilities and attacks

Risk Domain

The Domain Taxonomy of AI Risks classifies risks into seven AI risk domains: (1) Discrimination & toxicity, (2) Privacy & security, (3) Misinformation, (4) Malicious actors & misuse, (5) Human-computer interaction, (6) Socioeconomic & environmental harms, and (7) AI system safety, failures & limitations.
 
  1. Privacy & Security

Entity

Which, if any, entity is presented as the main cause of the risk
 

AI

Timing

The stage in the AI lifecycle at which the risk is presented as occurring
 

Post-deployment

Intent

Whether the risk is presented as occurring as an expected or unexpected outcome from pursuing a goal
 

Unintentional

Incident Reports

Reports Timeline

Incident OccurrenceAI hallucinates software packages and devs download them – even if potentially poisoned with malwareAI code helpers just can't stop inventing package names+1
AI code suggestions sabotage software supply chain
AI hallucinates software packages and devs download them – even if potentially poisoned with malware

AI hallucinates software packages and devs download them – even if potentially poisoned with malware

theregister.com

AI code helpers just can't stop inventing package names

AI code helpers just can't stop inventing package names

theregister.com

AI code suggestions sabotage software supply chain

AI code suggestions sabotage software supply chain

theregister.com

AI-hallucinated code dependencies become new supply chain risk

AI-hallucinated code dependencies become new supply chain risk

bleepingcomputer.com

AI hallucinates software packages and devs download them – even if potentially poisoned with malware
theregister.com · 2024

Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI.

Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency in…

AI code helpers just can't stop inventing package names
theregister.com · 2024

AI models just can't seem to stop making things up. As two recent studies point out, that proclivity underscores prior warnings not to rely on AI advice for anything that really matters.

One thing AI makes up quite often is the names of sof…

AI code suggestions sabotage software supply chain
theregister.com · 2025

The rise of LLM-powered code generation tools is reshaping how developers write software - and introducing new risks to the software supply chain in the process.

These AI coding assistants, like large language models in general, have a habi…

AI-hallucinated code dependencies become new supply chain risk
bleepingcomputer.com · 2025

A new class of supply chain attacks named 'slopsquatting' has emerged from the increased use of generative AI tools for coding and the model's tendency to "hallucinate" non-existent package names.

The term slopsquatting was coined by securi…

Variants

A "variant" is an incident that shares the same causative factors, produces similar harms, and involves the same intelligent systems as a known AI incident. Rather than index variants as entirely separate incidents, we list variations of incidents under the first similar incident submitted to the database. Unlike other submission types to the incident database, variants are not required to have reporting in evidence external to the Incident Database. Learn more from the research paper.

Similar Incidents

By textual similarity

Did our AI mess up? Flag the unrelated incidents

Hackers Break Apple Face ID

Hackers Break Apple Face ID

Sep 2017 · 24 reports
Biased Sentiment Analysis

Biased Sentiment Analysis

Oct 2017 · 7 reports
All Image Captions Produced are Violent

All Image Captions Produced are Violent

Apr 2018 · 28 reports
Previous IncidentNext Incident

Similar Incidents

By textual similarity

Did our AI mess up? Flag the unrelated incidents

Hackers Break Apple Face ID

Hackers Break Apple Face ID

Sep 2017 · 24 reports
Biased Sentiment Analysis

Biased Sentiment Analysis

Oct 2017 · 7 reports
All Image Captions Produced are Violent

All Image Captions Produced are Violent

Apr 2018 · 28 reports

Research

  • Defining an “AI Incident”
  • Defining an “AI Incident Response”
  • Database Roadmap
  • Related Work
  • Download Complete Database

Project and Community

  • About
  • Contact and Follow
  • Apps and Summaries
  • Editor’s Guide

Incidents

  • All Incidents in List Form
  • Flagged Incidents
  • Submission Queue
  • Classifications View
  • Taxonomies

2024 - AI Incident Database

  • Terms of use
  • Privacy Policy
  • Open twitterOpen githubOpen rssOpen facebookOpen linkedin
  • 300d90c