Security · 1h ago
Slopsquatting: How AI Coding Agents Enable a New Supply-Chain Attack
Attackers register hallucinated package names on npm and PyPI, exploiting AI coding agents that consistently import non-existent packages. The malicious packages execute install hooks with the developer's credentials, bypassing code review because the dependency appears legitimate. A new tool, LineageLens Trellis, gates these attacks by verifying registry metadata and detecting typosquatted names before commits.
Meridian48 take
The article's solution is vendor-specific, but the slopsquatting threat is real and growing; the industry needs broader guardrails before AI-generated code becomes the norm.
Read the full reporting
Slopsquatting: Your Coding Agent Is a Supply-Chain Attack Vector (and How We Gate It) →
DEV Community
supply-chain-attackai-coding-agents