Free Security Tool

    AI Hallucination Package Detector

    Detect slopsquatting risks in your dependencies. AI coding assistants hallucinate package names that don't exist - attackers register these names with malware.

    Detects AI hallucinationsResults in secondsSlopsquatting protection

    What is Slopsquatting?

    AI Hallucinations

    LLMs hallucinate package names that sound real but don't exist. Research shows 19.7% of AI-suggested packages are fake, with some models reaching 33%.

    Attackers Register Them

    Attackers monitor AI outputs and register hallucinated package names with malware. One fake package "huggingface-cli" got 30,000+ downloads in 3 months.

    Vibe Coding Risk

    When you trust AI-generated code without verification, you may install backdoored packages. This scanner catches them before they reach production.

    Supported Ecosystems

    npm (package.json)
    pip (requirements.txt)
    Go (go.mod)Coming Soon
    Cargo (Cargo.toml)Coming Soon

    Frequently Asked Questions

    What is slopsquatting?

    Slopsquatting is when attackers register package names that AI coding assistants hallucinate. Unlike typosquatting (misspelled names), these are completely made-up packages that LLMs confidently suggest as if they exist.

    How often do LLMs hallucinate packages?

    Research shows 19.7% of AI-suggested packages don't exist. Open-source models hallucinate 21.7% of the time, while GPT-4 Turbo has the lowest rate at 3.59%. CodeLlama models hallucinate over 33% of packages.

    How does this scanner detect hallucinations?

    We check against a database of known hallucinated package names and patterns commonly generated by AI models. This includes names like "crypto-utils", "flask-utils", and other "-utils/-helpers/-lib" patterns that LLMs favor.

    What should I do if a hallucination is detected?

    First, verify the package exists on npmjs.com or pypi.org. If it doesn't exist, remove it immediately. If it does exist, check when it was created and by whom - recently created packages with few downloads are suspicious.

    Is this tool designed for vibe coding?

    Yes. When you use Lovable, Cursor, Bolt, Copilot, or other AI coding tools, you're at higher risk of slopsquatting attacks. This scanner helps verify dependencies before they compromise your project.