The rise of software supply chain attacks isn’t slowing down. While many developers are familiar with typosquatting, a new, AI-driven threat has emerged: slopsquatting (also known as "phantom dependencies"). Last week, Cloudsmith hosted a webinar unpacking the mechanics of these attacks, their real-world impact, and the practical ways engineering teams can defend their development pipelines.

If you missed the live webinar, don’t worry; here’s a recap of the biggest insights, examples of attacks, and expert perspectives shared by our speakers, Nigel Douglas (Head of Developer Relations) and Liana Ertz (Product Manager).

YOU CAN WATCH THE WEBINAR ON-DEMAND HERE

What is causing the increased threat from Typosquatting?

Typosquatting has been around for years, but attacks are now increasing rapidly thanks to:

• the scale of open-source ecosystems
• AI tools hallucinating package names
• developers relying more on autogenerated code
• the ease of publishing look-alike packages in public repositories

As Claire Speedy (Senior Growth Marketing Manager) framed it during the opening:

“These threats are everywhere. If you're shipping software, you can’t afford to ignore them.”

This session explored not just how these attacks occur, but how open-source data sources, security tooling, and artifact management workflows can be used to stop them before they ever reach production.

Understanding typosquatting and slopsquatting attacks

1. Understanding typosquatting

Typosquatting is a cyberattack where malicious actors register package names that are slight misspellings or variations of legitimate ones. The goal is to trick users into installing a deceptive, malicious package.

Common Tactics:

• Visual lookalikes (Character Swaps, misspellings, or reordering):

Attackers register names that look nearly identical to popular packages, relying on cognitive shortcuts. Users,and increasingly AI agents, glance at the text and "autocorrect" the error in their minds.

The Tactic: Swapping characters, omitting letters, or using "homoglyphs" (characters that look alike).

Examples:

• matplotltib (pretending to be Python's matplotlib)
• pytoich (pretending to be pytorch)
• reqeust (classic persistence, still actively blocked daily)

• Soundsquatting (Sound-alike or pronunciation-based variants)

This tactic targets developers who learn package names verbally (e.g., from podcasts, team calls, or YouTube tutorials) or use voice-to-text tools. The package name is spelled differently but sounds identical to the legitimate one.

The Tactic: Using homophones (words that sound the same) to bypass mental spelling checks.

Examples:

• pilow (mimicking pillow)
• colors vs colours (exploiting regional spelling differences)
• snyk vs snick (phonetic variations of branded tools)

• Combo-squatting or Name-stuffing

Instead of misspelling a name, attackers append "trust signals" -words like "-official", "-security", or "-plugin" to a legitimate brand name. This tricks developers (and AI models) into believing the package is an official extension of a trusted library.

The Tactic: [Trusted Brand] + [Common Suffix]

Examples:

• lodash-js or lodash-plugin (mimicking extensions to lodash)
• discord-dev (mimicking official Discord developer tools)
• noblox.js-proxy (mimicking the popular noblox.js wrapper)

2. Real-world example: A typosquatted PyPI package

Nigel demonstrated a live example using the OSV (Open Source Vulnerabilities) API, querying a malicious PyPI package called “roest”, a near-match for the legitimate requests library.

The OSV entry categorized it as:

“A typosquat on a popular package… delivering a crypto-miner payload.”

The critical point?

Even if PyPI removes the malicious package hours later, it might still be cached in an internal artifact store or build environment, making retrospective scanning essential.

3. Why this problem exists: The “Wild West” of package ecosystems

Public upstreams like PyPI, npm, and crates.io are intentionally open and permissive - great for innovation, but also beneficial for attackers.New packages are uploaded daily. Manual vetting is almost impossible. That allows malicious typo-squatted packages to accumulate downloads before maintainers can detect and disable them.

Example: a typo-squatted npm package that sat unnoticed for over a year and still collected hundreds of downloads.This is exactly why organizations need to pull dependencies into a controlled platform like Cloudsmith instead of sourcing them directly from public registries; it provides an opportunity to scan, quarantine, and validate packages before they reach your developers or pipelines.

4. Introduction to Slopsquatting: The new AI threat

Slopsquatting is the modern evolution of this threat, driven by Generative AI. It occurs when Large Language Models (LLMs) hallucinate plausible-sounding package names that don't actually exist.

Attackers scan these LLM outputs to find "phantom dependencies" - packages that ChatGPT or Copilot thinks exist but don’t. The attackers then register these names on public registries like npm or PyPI.

"AI tools hallucinate nonexistent packages. Attackers register them. Developers copy-paste the code and accidentally install them. It’s a perfect exploitation chain." - Liana Ertz, Product Manager at Cloudsmith

The Scale of the Problem:

• Recent research (AI Incident Database) indicates that 20–35% of hallucinated package names in Python and npm were converted into actual malicious uploads in 2023.
• In 2024, hallucination rates for package names still range from 5–38% across leading LLMs.

5. Developer behaviour is increasing the risk

Cloudsmith’s Artifact Management Report revealed another worrying trend:

Many developers said the majority of their code is AI-generated, and much of it is pushed to production with fewer peer reviews than ever before.

Nigel described this pattern as - he rise of vibe-coding, generating code, trusting it, and shipping it without the right checks. Combined with slopsquatting, this creates a perfect storm for open-source malware infiltration.

6. How Cloudsmith helps detect & block malicious packages

Today, Cloudsmith integrates directly with the OSV data feed to automatically:

• Detect known malicious packages
• Quarantine them at upload
• Block them from developers and pipelines
• Enrich packages with vulnerability & malware context
• Provide package insights, provenance, and trust signals

Nigel demonstrated Cloudsmith’s policy engine in action:

A malicious package was uploaded → OPA policy detected OSV’s MAL- identifier → the package was instantly quarantined.

This happens before it reaches your developers or build systems.

Liana also shared what’s coming next:We're ingesting more provenance metadata, publish dates, download activity, maintainers, to help identify high-risk packages early. We're also exploring MCP and upstream trust features to prevent dependency confusion.”

Key takeaways

1. Slopsquatting is real: AI hallucinations are creating "phantom dependencies" that attackers are actively exploiting.
2. Typosquatting is evolving: It's no longer just about misspellings; it's about confusing the developer and the AI.
3. Automation is mandatory: You cannot manually vet every npm or PyPI package. You need policy engines that block bad artifacts at the door.
4. Cloudsmith is your filter: By ensuring only trusted, verifiable artifacts reach your pipeline, you neutralize the risk of "vibe-coding" errors.

What you missed (quick summary)

If you couldn’t join the live session, here are the highlights you missed:

• Real demonstrations of malicious PyPI packages
• How OSV data is used to detect malware
• Examples of AI hallucinating dangerous package names
• Research on developer behavior and AI reliance
• A walkthrough of Cloudsmith’s quarantine + policy engine
• Q&A covering provenance, signatures, SLSA, and more