Security Tip: Have You Heard Of Slopsquatting?

[Tip #132] Your AI agent hallucinates a package name, confidently installs it, and keeps working - except an attacker registered that exact name, packed with malware. Welcome to slopsquatting.

Share
Security Tip: Have You Heard Of Slopsquatting?

You've probably heard of Squatting before (i.e. "the act of occupying an abandoned or unoccupied area of land or a building without lawful permission"), especially in the context of:

  • Cybersquatting / Namespace squatting / Domain squatting - registering unused or expired domains or packages relating to a brand or trademark, to sell back at a profit.
  • Typosquatting - registering similar domains or packages to trick users into misreading it, such as go0gle.com , paypa1.com, laraval/laravel.
  • Combosquatting - Combining brand names with a relevant word, such as apple-support.com.
  • Soundsquatting - abusing names that sound the same out loud, such as four vs for.

But did you know we've got a new one?

Slopsquatting!

And yep, you guessed it - this relates to registering package names that coding agents hallucinate!

Consider the scenario: Claude or GPT is working hard on your app, realises it needs a dependency, hallucinates the name of the dependency it needs, and confidently runs:

composer require laravel-official/nightwatch

A human would look at it and know laravel-official isn't the correct namespace, but when your Agent is happily working away in Auto Mode, it'll run the command, and since the package actually exists (because the attacker registered it), it'll be installed. The Agent will keep doing their thing, oblivious to what has just happened.

By the time a human checks the prompt, sees what's been installed, it's way too late to do anything. The malware hiding in the package has been executed.

According to the research into Slopsquatting, 19.7% of recommended packages don't exist, with 43% of hallucinated package names repeated every time (and that number rises to 58% for package names repeated multiple times). This is pretty concerning - if an Agent can repeatedly hallucinate the same package names, then an attacker can reliably identify hallucinations and create packages to match them.

So how do we protect ourselves?

  1. Don't let your agent install packages.
    All of the Agent tools include configuration options to require explicit approval for running composer and npm commands. Configure these so your Agent's will stop and ask for permission every time. It may slow you down, but it's better than being infected with malware.
  2. Don't blindly approve installs.
    Not only do you need to manually approve installs, but actually look into the package the Agent wants to install. Check how popular it is, when the last update was, etc. You want actively maintained and popular packages.
  3. Enable Minimum Release Age.
    We talked about this last time. This setting will prevent your Agent from installing packages that were freshly created in response to a new hallucination being identified - which is very common with slopsquatting.
  4. Research and decide on a package before asking the Agent to do the work.
    Don't overlook the power of planning out the work your Agent is doing, and making the decision of which package(s) need to be installed before the work is started. This gives you more time to properly research your options. You can definitely use your Agent to help with this research too - just make sure you manually verify the package that gets selected.

It may be easy to think about Agentic development as leaving the AI to do all the work, but security is always going to be an important part of our jobs. AI is fallible and AI makes mistakes, and to be fair, so do Humans. However when both the Human and the AI are thinking about security, you're more likely to end up with a secure app than when neither of you are.


Found this security tip useful? 👍
Subscribe now to get weekly Security Tips straight to your inbox, filled with practical, actionable advice to help you build safer apps.

Want to learn more? 🤓
Upgrade to a Premium Subscription for exclusive monthly In Depth articles! Your support directly funds my security work in the Laravel community. 🥰

Need a second set of eyes on your code?
Book in a
Laravel Security Audit and Penetration Test today! I offer budget-friendly Security Reviews too.

Finally, connect with me on Twitter, Bluesky, phpc.social, and LinkedIn.