Your vendors might be using dangerous code
Slopsquatting: The New Supply Chain Threat from AI-Generated Code
How AI coding tools are creating vulnerabilities in the software your business depends on
You've probably heard the warnings about cybersecurity threats. But there's a new one emerging—and it doesn't require hackers to break in. It comes from within the software your business already uses.
It's called "slopsquatting," and it's a blind spot that could affect your company without you ever knowing it.
What Is Slopsquatting?
Slopsquatting is when attackers upload malicious code libraries under names similar to—but not quite the same as—legitimate, widely-used software packages. The trick works because developers using AI coding tools like GitHub Copilot or ChatGPT often accept auto-generated code without scrutiny. When an AI tool suggests importing a package with a slightly misspelled name, a developer might not catch it.
The attacker's malicious package gets installed. Your software now has a backdoor.
Traditional typosquatting attacks require someone to notice a spelling mistake. Slopsquatting exploits the trust we've started placing in AI suggestions—the assumption that if the AI recommended it, it's probably fine.
Why This Matters to Your Business
Your business doesn't need to be writing code to be exposed. If your software vendors, contractors, or in-house developers are using AI coding assistants, they could accidentally pull in malicious dependencies. One compromised library can expose customer data, steal payment information, or give attackers access to your entire system.
The risk is compounded because:
- Supply chain depth: You don't always know what third-party packages your software relies on
- AI acceleration: Pressure to ship faster with AI tools means less manual review of suggestions
- Visibility gaps: Your IT team may not have visibility into every package a vendor's code uses
What You Can Do Now
You don't need to ban AI tools—they're genuinely useful for productivity. But you do need guardrails:
- Ask vendors directly: How are your contractors using AI coding tools? Do they have a code review process that catches suspicious package names?
- Require dependency audits: Before deploying new software or updates, ask for a list of all third-party packages and their sources
- Enable security scanning: Many development teams now use automated tools to check for known malicious packages before code goes live
- Document your vendor standards: Make it clear in contracts that code must pass security checks before deployment
If you're working with a custom software vendor or have in-house developers, this is a conversation worth having. The safest approach isn't to avoid AI tools—it's to use them alongside proven security practices.
The Bottom Line
Slopsquatting is a new attack vector, but it's not unsolvable. Like most security risks, it comes down to attention, process, and asking the right questions of the people building your software. The organizations that'll be fine are the ones that treat AI assistance as a speed tool, not a replacement for review and verification.
Get in touch if you want to discuss how your custom software is being built and what safeguards are in place.
Want this for your business?
Tell us what you want to build — we’ll reply within one business day.
Book a free consultation