An LLM wrote
npx react-codeshiftacross 47 files. The package didn't exist. Then someone registered it. 237 repos had already referenced it.
slopcheck validates npm package names in your docs and config files against the live registry — before that someone is waiting.
npx slopcheck .name: Slopsquatting Check
on: [push, pull_request]
jobs:
slopcheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: mattschaller/slopcheck@v0.2.0
with:
paths: '.'Findings appear as workflow annotations directly on the PR diff.
AI coding agents hallucinate package names. According to USENIX Security 2025 research, ~20% of AI-generated code references packages that don't exist on npm. 58% of these hallucinated names recur consistently across prompts, making them predictable squat targets. Attackers register these phantom names as malware and wait for installs.
Your AGENTS.md, SKILL.md, .cursorrules, .mdc, and documentation files are attack surfaces.
ClawHub's official skills registry had 1,184 confirmed malicious entries in 2026 (Antiy CERT). The #1 most-downloaded skill was a macOS malware stager. Many attacks work by referencing a plausible-looking npm package that doesn't exist — yet.
slopcheck catches those references before your agents install them.
Scans markdown (.md, .mdc), YAML, and JSON files for install commands (npm install, npx, pnpm add, yarn add, bun add, bunx) → extracts package names → validates each against the live npm registry → reports phantom packages.
Zero runtime dependencies. Uses only Node.js built-in APIs.
Snyk and Socket evaluate packages that exist on npm. slopcheck catches references to packages that don't exist yet — the gap before any advisory database can know about them.
| Attack vector | How it works | slopcheck defense |
|---|---|---|
| Hallucinated package in AGENTS.md | AI generates npx react-codeshift, attacker registers the name |
Detects react-codeshift doesn't exist on npm |
| Hallucinated dependency in README | Developer copies npm install phantom-pkg from docs |
Flags phantom-pkg as not found |
| AI-generated SKILL.md with phantom packages | Spread across 237+ repos via copy/paste | Catches all non-existent package references |
| Unpublished packages | Package was removed from npm but had downloads (takeover risk) | Detects via npm downloads API, flags as unpublished |
| Security-held packages | Package removed by npm for malware (HTTP 451) | Flags with security hold warning |
slopcheck v0.2.0 — scanning 3 files for phantom packages
✗ left-pad — unpublished from npm (takeover risk)
└─ AGENTS.md:22 npm install left-pad
✗ react-codeshift — not found on npm
└─ AGENTS.md:14 npx react-codeshift --transform ...
└─ SKILL.md:8 npm install react-codeshift
⚠ suspicious-pkg — security hold (HTTP 451)
└─ .cursorrules:19 npm install suspicious-pkg
✓ 12 packages verified, 1 unpublished, 1 not found, 1 security hold
Found 2 phantom packages. Exit code 1.
Usage: slopcheck [options] [files/directories...]
Options:
-V, --version output version
--json output JSON instead of text
--concurrency <n> max concurrent registry checks (default: 10)
--ignore <packages> comma-separated list of packages to skip
--no-security-hold don't flag security holds as warnings
-h, --help display help
Arguments:
files/directories files or directories to scan (default: current directory)
directories are scanned recursively for .md, .mdc, .yml, .yaml,
.json, .cursorrules files
node_modules, .git, dist, build directories are always excluded
- uses: mattschaller/slopcheck@v0.2.0
with:
paths: '. docs/'
ignore: 'my-internal-pkg,another-known-pkg'
concurrency: '10'Honesty builds trust:
- Doesn't scan package.json or lock files. Use Socket.dev or Snyk for dependency analysis.
- Doesn't check if an existing package is malicious. Use @aikidosec/safe-chain for runtime install protection.
- Only checks if the package name exists on npm. A package existing doesn't mean it's safe — it means it's not a hallucination.
- USENIX Security 2025 — "We Have a Package for You!" — 576K code samples, 16 models, ~20% hallucinated package names
- Aikido Blog — Slopsquatting — attack vector analysis
- Aikido Blog — Agent Skills Spreading Hallucinated npx Commands — wshobson/agents incident, 237 repos,
npx react-codeshift - Antiy CERT — ClawHavoc Campaign — 1,184 malicious skills on ClawHub
- HackerOne — Slopsquatting: AI and Supply Chain Security — industry impact
- Trend Micro — Slopsquatting: When AI Agents Hallucinate Malicious Packages — supply chain attack patterns
- v0.3.0 — SARIF output for GitHub Code Scanning integration
See CONTRIBUTING.md.