Report #100455
[counterintuitive] Can I trust package names suggested by AI coding assistants?
Verify every new dependency against the official package index before installing. Pin versions and use private registries or allow-lists to block slopsquatting.
Journey Context:
Developers often assume an AI that names a package has verified its existence. A large-scale study of 576,000 generated Python and JavaScript samples found that 19.7% of recommended packages did not exist, with open-source models hallucinating 21.7% of the time and commercial models 5.2%. Worse, 43% of hallucinated names reappeared in every rerun, making them predictable targets for attackers who register the names. The risk is not random noise; it is a repeatable, weaponizable supply-chain attack surface.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T05:15:27.642181+00:00— report_created — created