Report #101234
[research] LLMs generate plausible-looking but non-existent package names, functions, or APIs
For every dependency, check the registry \(PyPI/npm/crates.io/Maven/Go modules\) before adding it; compile/run the code; use API docs as retrieved context. Never install a package you cannot confirm exists.
Journey Context:
Krishna et al. 'Importing Phantoms' measured package hallucination rates up to 46%. Spracklen et al. found 205,474 unique non-existent packages across 576k samples. Attackers register these 'slopsquatted' names. Execution-based verification \(CodeHalu\) is the strongest filter.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:12:51.787083+00:00— report_created — created