Package Hallucination Detection
AI assistants sometimes suggest packages that don't exist. Attackers exploit this by publishing malicious packages with AI-hallucinated names.
What is Package Hallucination?
Package hallucination occurs when:
- LLMs suggest non-existent npm/PyPI packages
- Developers install hallucinated packages without verification
- Attackers squat on commonly hallucinated names
- Malicious code runs via typosquatted packages
This is a real attack vector. Researchers found that 20%+ of AI-suggested packages don't exist, and attackers actively exploit this.
Detectors
ai_package_hallucination
Severity: High
Detects potentially hallucinated packages in your dependencies.
Triggers on:
- Packages with no downloads or recent creation
- Names similar to popular packages (typosquatting)
- Packages with suspicious metadata
- Dependencies not in common registries
Example Detection:
{
"category": "ai_package_hallucination",
"severity": "high",
"message": "Potentially hallucinated package: 'react-auth-helper'",
"file": "package.json",
"line": 15,
"remediation": "Verify this package exists and is legitimate before use"
}
ai_typosquat
Severity: High
Detects typosquatted package names.
Triggers on:
- Names 1-2 characters different from popular packages
- Common misspellings of well-known packages
- Hyphen/underscore variants
- Scope confusion attacks
Examples:
lodsh (lodash)
reqeusts (requests)
react-dom-router (react-router-dom)
@babel/cores (@babel/core)
ai_malicious_package
Severity: Critical
Detects known malicious packages.
Triggers on:
- Packages in malicious package databases
- Packages with known supply chain attacks
- Packages flagged by security advisories
How Attackers Exploit This
1. AI Suggests Non-Existent Package
User: "How do I handle authentication in React?"
AI: "You can use the react-simple-auth package..."
2. Attacker Publishes Package
npm publish react-simple-auth
# Contains malicious code
3. Developer Installs Without Checking
npm install react-simple-auth
# Malware now in your project
Remediation
Always Verify Before Installing
# Check npm registry
npm info react-simple-auth
# Check package age and downloads
npm view react-simple-auth time
Use Lockfiles
# Commit lockfiles to version control
git add package-lock.json
git commit -m "Add lockfile"
Audit Dependencies
# npm audit
npm audit
# Use Oculum
oculum scan --depth verified
Configure Package Allowlist
// package.json
{
"oculum": {
"allowedPackages": [
"react",
"react-dom",
"@tanstack/*"
]
}
}
Common Hallucination Patterns
| Hallucinated | Actual Package | Issue |
|---|---|---|
react-auth-helper | Various auth libraries | Made-up name |
python-jwt | PyJWT | Wrong naming convention |
express-session-store | express-session | Fictional package |
lodash-utils | lodash | Non-existent variant |
Typosquatting Patterns
Watch for these common patterns:
Character Swaps
lodash→lodsh,lodahsexpress→expres,expresss
Hyphen/Underscore
date-fns→date_fnsnode_modules→node-modules
Scope Confusion
@babel/core→babel-core(deprecated)@types/node→types-node
Similar Names
colors(legitimate) vscolour(malicious)request(deprecated) vsrequests(typosquat)
Package Security Checklist
Before installing any AI-suggested package:
- Check npm/PyPI registry — Does it exist?
- Check downloads — Popular packages have millions of downloads
- Check age — Suspicious if created very recently
- Check maintainer — Known author or organization?
- Check GitHub — Does the repo exist and look legitimate?
- Check dependencies — Any suspicious sub-dependencies?
# Quick verification script
npm info $PACKAGE
npm view $PACKAGE time.created
npm view $PACKAGE repository
CI/CD Integration
Add package verification to your pipeline:
# GitHub Actions
- name: Security Scan
uses: oculum/scan-action@v1
with:
api-key: ${{ secrets.OCULUM_API_KEY }}
fail-on-categories: "ai-package-*"
Related
- Model Supply Chain — Compromised AI models
- Unsafe Execution — Running malicious code
- CI/CD Setup — Automate package scanning