HackerOne Blog

Slopsquatting: AI's Contribution to Supply Chain Attacks

Andrew Pratt
Security Researcher
AI Brain on Tech Background

As static websites evolved into interactive applications during the dawn of Web 2.0, developers quickly realized that building everything from scratch wasn't just inefficient; it was nearly impossible at scale.

 

To meet the growing complexity and expectations of end users, the industry has since cultivated a vast ecosystem of reusable tools, libraries, and frameworks. Now, with just a few commands, developers can import prewritten code into their projects thanks to open-source repositories like npm for JavaScript and PyPi for Python.

 

However, this convenience has come at a steep cost. Projects are now dependent on numerous packages which themselves rely on even more packages. What was intended to simplify development has now become a tangled, transitive mess that has significantly expanded the attack surface. Each dependency is a potential vulnerability and the severity of their compromisation is only limited by their popularity.

 

Today, in the same pursuit towards productivity, AI has been added to the development toolkit. Tools powered by large language models (LLMs) are now being used to write code, a practice that is being referred to as "vibe coding". However, just as the technologies that precede it, it too introduces new security risks into the software supply chain. AI-generated code frequently imports packages that do not exist, providing threat actors with opportunities to carry out "slopsquatting" attacks.

 

To fully understand the implications of this novel attack vector, let's first cover some background information.

The State of Supply Chain Security

We have become dependent on dependencies. For years, open-source components have made up the majority of modern application codebases, accounting for 70-90% of the code.

 

This overreliance has not gone unnoticed by threat actors. Community-centric repositories, where anyone can upload code, makes them an ideal medium to distribute malware. If a malicious package, containing arbitrary code is imported, adversaries can gain complete control over hosts and networks.

 

It is the assumption that every package is fully vetted for safety that has led to disastrous security breaches.

 

Analysis conducted by Sonatype, across 7 million open-source projects, found that last year:

 

  • Over 6.6 trillion open-source code downloads were made last year, demonstrating the level of reliance on these resources.
  • More than 512,847 packages contained malware.
  • A staggering 80% of dependencies are left unpatched for over a year, leaving them vulnerable to exploitation.
  • Even when updates are applied, 3.6% of those updates were to other insecure versions.

 

Additionally, a study performed by Concordia University discovered that out of 230,000 npm packages, 16.8% were under 35 lines of code and only provided basic functionality. These "trivial packages", which could easily be written from scratch using native utilities, were found in 10.9% of the 38,000 JavaScript applications evaluated. Although over half of the surveyed developers claimed these packages were "well implemented and tested", only 45.2% had been.

Dependency Attacks

In a dependency attack, a developer or system is tricked into importing a malicious package instead of a legitimate one. To increase the likelihood of their inclusion, threat actors will utilize various techniques including:

 

  • Typosquatting: By naming malicious packages similarly to legitimate ones, this technique takes advantage of slight misspellings in import statements.
  • Hijacking: Unauthorized access to registries, commonly achieved through the use of stolen credentials or domain takeover attacks, allows attackers to impersonate maintainers and upload or modify packages with malware. In 2024, the domain polyfill[.]io which served the browser compatibility package Polyfill, was acquired by a Chinese company. Shortly after the acquisition, the end users of approximately 490,000 were being redirected to websites hosting adult content. Polyfill had been tampered with.
  • Confusion: Dependency confusion attacks abuse the prioritization mechanism used by certain package managers when they encounter a name collision between private and public registries. If a package exists in both, the package with the higher version number will take precedence. This attack technique was responsible for the exploitation of the PyTorch library in December of 2022.

 

To increase the likelihood of their inclusion, attackers will use techniques such as typosquatting, naming the malicious packages similarly to legitimate ones, or causing a name collision between private and public registries.

 

Being able to inject arbitrary code can have severe consequences: remote code execution, backdoor installation, service disruption, infection propagation to other systems and data exfiltration.

Slopsquatting: When AI Serves an Opportunity for Malicious Hackers

"Slopsquatting" vulnerabilities, a play on the name "typosquatting", stem from a critical flaw in currently available AI models: they generate responses based on statistical probability of accuracy, not objective fact.

 

This leads to a phenomenon known as hallucination, in which a model confidently outputs incorrect or imaginary information. In software development, these hallucinations have resulted in references to non-existent packages, creating opportunities for threat actors to register a malicious package under the hallucinated name. If these errors go unnoticed, these packages will ultimately be installed and their malware will be executed.

 

In a collaborative effort between the University of Texas at San Antonio, the University of Oklahoma, and Virginia Tech, researchers found that slopsquatting vulnerabilities are generated at a shocking rate.

 

Using 16 popular LLMs and two unique prompt datasets, the researchers generated 576,000 code samples for testing. Each code sample was prompted twice, for a total of 1,152,000 package prompts across 30 tests.

 

Analysis of the code samples revealed that commercial models hallucinated packages at an average percentage of 5.2%. Open-source models were even more problematic, hallucinating packages at an alarming 21.7% of the time.

 

To put those numbers in perspective, out of the 2.23 million packages generated, 19.7% were hallucinated. A total of 205,474 completely fabricated and uniquely named packages were referenced.

 

ChatGPT models were four times less likely to make up package names when compared to their open source counterparts.

 

These insights highlight the pervasiveness of slopsquatting, even though modern LLMs boast a 96% success rate when it comes to correctly answering coding prompts. A far improvement from earlier models that generated code that contained CWEs 40% of the time.

Mitigation: How to Avoid Becoming a Victim to Slopsquatting

Although manual review of package names can help catch non-existent or suspicious entries, it is prone to human error and may not occur quickly enough to prevent an attacker from claiming a vulnerable name. To effectively mitigate the risk of slopsquatting attacks, proactive measures are preferable to reactive ones.

 

  1. All external package requests should be made through internal proxies. This centralizes scanning, logging, and validation, making it easier to detect anomalies.
  2. Legitimate package names should be explicitly provided, either manually or through carefully designed prompts, before code generation begins.
  3. Prompts should instruct the AI model to verify the legitimacy of package names and exclude any that are unverified or suspicious.
  4. AI models can also be fine-tuned with curated lists of known legitimate packages. When using this approach, care must be taken not to alter the underlying model weights in ways that degrade code quality.

 

Many AI code generation tools support the use of custom user rules and preferences, which can be configured to enforce these strategies consistently. If documentation uploads are supported, only official and trusted sources should be referenced.

 

These mitigation techniques should be applied iteratively, reviewed regularly, and used in combination for comprehensive protection.

New Attacks Require New Defenses

Slopsquatting attacks present a new take on a familiar supply chain attack technique. AI, just like humans, is prone to make mistakes, and as developers increasingly leverage the power of AI to write code, it is critical that awareness of this flaw is maintained. Simple name references or spelling errors give threat actors low-effort, high-reward opportunities to exploit development pipelines.

 

AI has evolved the way humans interact with technology, and has necessitated that our defenses evolve as well. 

AI