Slopsquatting: when your AI invents a package that does not exist
Your AI assistant can suggest a package that does not exist. In 2026 that became a security risk with a name: slopsquatting.
What it is
AI assistants hallucinate library and package names. Studies put it at 5 to 22 percent of suggestions. Attackers register the invented names and fill them with malware, so installing a hallucinated dependency can be a supply-chain attack you never saw coming.
Why models do it
They predict plausible-looking code, token by token. A plausible package name is not a real one, and the model has no way to tell the difference. It is guessing, confidently.
Why a compiler cannot
A compiler does not predict. It composes from cited operations and published standards, so every line traces to something that actually exists. It never invents an API, a function, or a package.
That is the difference between Pauhu Fusion and a model: composed, not guessed. It cannot suggest a dependency that does not exist, because it only composes from sources that do. The provenance is built in, not bolted on.