AI agents hallucinate package names — and attackers are registering them. What's your defense?
Something I keep thinking about while building LineageLens Trellis: LLMs hallucinate package names *consistently*. The same fake names recur across models and prompts. Attackers have started harvesting those names and registering them on npm/PyPI with malicious install hooks — so when the next agent hallucinates `fastapi-utils-extra`, the install *succeeds*.
The part that unsettles me is that it beats code review completely. The import looks normal, the lockfile resolves, nothing in the diff is wrong. The malicious code isn't in the diff — it's on the registry, behind a name a model invented.
We ended up treating dependency introduction as a separate trust event from code edits: registry checks (package age, release count) plus an offline edit-distance pass for typosquats like reqeusts`, tied back to *which agent session* introduced the name.
But I'm genuinely curious what other makers do here. If you're using Copilot/Cursor/Claude Code daily — does anything stand between the agent and `npm install` in your setup? Or is the agent fully trusted the moment it suggests a dependency?
Follow our substack:https://lineagelens.substack.com/?utm_campaign=pub&utm_medium=web
Github Repo:https://github.com/karnati-praveen/lineagelens


Replies
Agree, that's a very dangerous and real threat. I never experienced it myself but that's probably because I strictly vet and check packages AI suggests, always adding "reputable and secure" as a requirement.
What I'd recommend is connect @Snyk and @Aikido Security to your codebase - they will ensure you not only use real packages but that you'll be aware keep them updated as new vulnerabilities are discovered.
Lineage Lens
@artk I completely agree that tools like Snyk and Aikido are valuable as part of the defense-in-depth story. My interest is slightly earlier in the pipeline though—before a dependency is even accepted.
If an agent hallucinates or introduces an unexpected package, I'd like to know which agent session suggested it, why it entered the workflow, and whether it passed basic trust checks before installation. I see registry scanners and provenance as complementary layers rather than alternatives.
@praveen62 That would be best, definitely. From my experience, the most reliable way would be to ensure the search and installation tooling won't allow AI to discover and install fake\malicious packages. I think this product is doing exactly that: @Socket - there's a Claude plugin, adding a requirement to check all new packages against their scoring should help.
Lineage Lens
what do you think about this and in a few days we are lauching trellis !!