AI-Induced Supply-Chain Compromise: A Systematic Review of Package Hallucinations and Slopsquatting Attacks

The adoption of large language models (LLMs) and AI‑assisted programming has accelerated software production, but it has also created a novel supply‑chain vulnerability: package hallucination. When an LLM generates code, it may recommend nonexistent third‑party packages that “sound” plausible. Adversaries can register these phantom names in public registries, thereby poisoning the open‑source software supply chain. This attack pattern, termed \textit{slopsquatting}, combines aspects of typosquatting and dependency confusion but is triggered by AI hallucinations rather than human error. We systematically review this emerging threat. Following PRISMA‑2020 guidelines, we searched IEEE Xplore, ACM Digital Library, SpringerLink, Scopus and arXiv for publications (2018–Oct 2025) on package hallucination, typosquatting, dependency confusion, supply‑chain compromise and registry policies. Twenty‑one peer‑reviewed papers and seven credible industry reports met the inclusion criteria. We synthesize definitions, threat models and observed incidents; report empirical evidence of hallucination prevalence across LLMs (e.g., GPT‑series models hallucinate 5.2 \% of packages versus 21.7 \% for open‑source models); and map defenses at IDE, registry, CI/CD and runtime layers. We compare slopsquatting with typosquatting and dependency confusion using a new taxonomy and highlight gaps in current safeguards. Official policies from npm, PyPI, Maven Central, RubyGems, NuGet and CRAN show varying levels of name reservation, deletion and immutability. Our review exposes an urgent need for package‑existence validation within AI coding tools, stricter registry name policies and standardized provenance attestations.