Qwiet AI Honored as Winner of Best Application Security Solution at the 2025 SC Awards

The rise of AI-generated code has indeed been a productivity breakthrough. However, it has also ushered in a new class of threat that most security teams are not adequately prepared for: the urgent and looming danger of slopsquatting.

What Is Slopsquatting?

Slopsquatting is a novel and unprecedented supply chain attack that exploits a flaw in how large language models (LLMs) generate code. When developers use AI tools to autocomplete or generate packages, they may unknowingly be fed nonexistent or hallucinated packages, and malicious actors are exploiting this new vulnerability at an alarming rate.

Attackers register packages with names similar to these hallucinated dependencies. If a developer unthinkingly installs the suggestion, the attacker’s code runs in their environment. That’s the slopsquat. It’s fast, opportunistic, and leverages developers’ trust in AI tools.

Why does this happen? LLMs don’t query live package registries; they generate suggestions based on patterns in their training data. If a tool “remembers” seeing a package-like name, it might invent one that looks plausible but doesn’t exist.

A Familiar Pattern With a Twist

This pattern is reminiscent of attacks on Newly Registered Domains (NRD). Back then, threat actors would spin up typo’d or fresh domains, launch phishing campaigns, and disappear before traditional defenses kicked in. Attackers use the same opportunism, but the attack surface is AI-generated code. Just like they once registered fake domains, they now register hallucinated packages.

However, slopsquatting presents a more complex challenge. The vulnerability isn’t just in the package registry but in the AI tool itself. These hallucinated suggestions are unpredictable, based on prompt context and training artifacts, and do not constantly focus on malicious intent, making them harder to block or preemptively detect.

The Rise of “Vibe Coding”

We’re in the era of vibe coding, faster iteration, faster commits, and sometimes, skipping traditional review workflows. AI copilots have made developers significantly more productive, but they also introduce hallucinated suggestions at a scale we’ve never seen before.

Without the proper guardrails, that’s a serious problem.

Imagine a developer asking their AI assistant for a logging library. The assistant suggests logger-pro-fast, a package that doesn’t exist. An attacker registers it and slips in malicious code. The developer installs it. Game over.

How Qwiet AI Solves It

At Qwiet AI, we anticipated this risk. Our platform includes a first-of-its-kind anti-hallucination agent that detects and blocks AI-generated code hallucinations before they ever enter your codebase or pipelines.

We combine this with:

  • Real-time dependency monitoring
  • Deep static code analysis
  • Pre-production vulnerability detection

This means you’re not just catching known bad packages, you’re catching the unknowns, including those that don’t exist yet but might show up in an AI suggestion tomorrow.

Future-Proofing the Software Supply Chain

Slopsquatting is just the beginning. Security teams must adapt to a world where machines, not just humans, write code. Like NRDs before them, we can get ahead of this wave if we modernize our security approach for how software is built today. 

The key is integrating security where code is written, not just where it’s deployed. That’s how we keep vibe coding safe and the software supply chain future-proof.

Stop AI hallucinations before they compromise your code.

Book a demo today to see how Qwiet AI protects your developers and pipeline.

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai

Share

Read Next

Cybersecurity
June 10, 2025 11 min to read

Attacker Reachability Revisited: How Qwiet Slashes Open-S...

by Ian Botbyl

Our journey in application security has always been about empowering developers, making them the key players in shipping secure code without drowning in noise. Back in 2021, at ShiftLeft, we introduced the concept of “Attacker Reachability,” a way to focus only on those open-source vulnerabilities that could be exploited in a given application. The results […]

READ MORE
Cybersecurity
June 5, 2025 6 min to read

Human-Written Code vs. AI-Generated Code: We Still Scan I...

by Taylor Pierce

Key Takeaways AI-generated code is not inherently more or less secure than human-written code. The risks depend on how the code is reviewed, tested, and validated, not who or what wrote it. Security scanners treat both AI and human code the same way. They analyze syntax, structure, dependencies, and behaviors without considering the source of […]

READ MORE
Cybersecurity Cybersecurity for Developers DevOps
June 3, 2025 7 min to read

False Negatives in AppSec: What’s the Impact, What’s at R...

by Stuart McClure

Key Takeaways False negatives pose a significant hidden risk by allowing real vulnerabilities to slip through security scans undetected, leaving systems exposed without raising alerts. Technical limitations, changing environments, and tool trade-offs are the main reasons false negatives persist, even after decades of AppSec progress. Reducing false negatives requires a comprehensive and layered strategy that […]

READ MORE

Read Next

AppSec 201 Cybersecurity
May 6, 2025 9 min to read

Why No Single AppSec Tool Can Be the A-Player at Everything

by Eric Six

Key Takeaways All-in-one platforms trade depth for surface-level coverage: Bundling SAST, DAST, IAST, RAST, and ASPM into a single tool often leads to overlap in low-risk areas (e.g., basic code vulnerabilities) and blind spots in high-risk ones (e.g., complex business logic vulnerabilities). Context-aware tools, which understand an application’s specific context, outperform general-purpose scanners: These tools […]

READ MORE
AI AppSec Cybersecurity Cybersecurity for Developers Engineering
May 1, 2025 4 min to read

Why “Community Rules” Are a Wolf in Sheep’s Clothing

by Chetan Conikee

After years of uncovering investment and retail banking fraud, I’ve developed a finely tuned radar for risk disguised as innovation. So when security vendors market “community rules” as a revolutionary leap forward, my fraud-detection instincts go haywire. It’s a wolf in sheep’s clothing, a potential threat masquerading as transparency. Let’s be clear: regulated financial institutions […]

READ MORE
Cybersecurity
May 6, 2025 7 min to read

Time to Value: Why Real-Time Scanning Isn’t Worth the Tra...

by ELANGO SENTHILNATHAN

Key Takeaways While promising immediate feedback, real-time scanning often creates ‘noise’ without context. This ‘noise’ refers to the excessive and irrelevant alerts that tools running in the IDE or pre-save phase can generate. These tools may flag unreachable or non-exploitable code, leading to alert fatigue and dev pushback. CI/CD scanning, with its promise of higher […]

READ MORE
Subscribe to newsletter

Privacy Policy
Terms of Service © 2025 Qwiet. All rights reserved

Services
Company
Platform
Resources
Log In