AI coding assistants may suggest non-existent or “slopsquatted” packages, created by attackers registering fake packages on registries like PyPI and npm, relying on AI tools to confuse them with legit ones. These deliver malware, steal data, or create backdoors in dev environments. For example, the “slopsquatted” package @async-mutex/mutex recently tricked developers after appearing in Google’s AI Overview, showing how easily these packages sneak into software supply chains by exploiting trust in AI.