Software Supply Chain Risk in Package Managers, Including AI-Driven Slopsquatting
ENISA published a March 2026 technical advisory on the secure use of package managers, warning that modern development workflows (e.g., npm, pip, Maven) can pull in far more code than developers expect due to direct and transitive dependency resolution. The advisory highlights how applications inherit large dependency graphs—often including unused modules—that still introduce vulnerabilities, maintenance and provenance risk, and expanded trust assumptions across the software supply chain. ENISA recommends secure practices for selecting, integrating, monitoring, and remediating vulnerable third-party dependencies as part of the SDLC.
Separately, security researchers and industry commentary describe slopsquatting, a supply-chain technique that exploits AI coding assistants’ tendency to hallucinate plausible-but-nonexistent package names. Attackers can register those “phantom” names in public repositories and publish packages that appear to match the expected functionality while embedding malicious payloads, turning AI-generated suggestions into a predictable package-name acquisition strategy. The risk is positioned as distinct from typosquatting (human error) and is framed as requiring additional detection approaches beyond traditional controls, including more behavioral and validation-focused checks before adopting AI-suggested dependencies.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
ENISA issues package manager security advisory covering AI-assisted dependency risk
ENISA's March 2026 Technical Advisory on secure package manager use warned about software supply-chain risks from public repositories, transitive dependencies, malicious packages, and compromised maintainer accounts. The advisory also noted that AI/LLM-assisted development can introduce dependencies that require the same validation and security review as manually chosen packages.
Contrast Security describes emerging 'slopsquatting' supply-chain attack
Contrast Security published an analysis of 'slopsquatting,' a software supply-chain technique in which attackers register AI-hallucinated package names and seed them with malicious code. The write-up explains how AI coding assistants can suggest non-existent dependencies that developers may install without verification.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Open-Source Supply-Chain Risk Amplified by AI-Accelerated Development and Automation
Software supply-chain compromise continued to blend into normal development activity, with attackers exploiting the speed and trust of modern workflows—third-party dependencies, automated updates, and rapid release cycles—to distribute malware and steal credentials. A ReversingLabs study covering 2025 open-source ecosystems reported **npm** as the dominant distribution channel for malicious packages, including incidents where attackers **compromised maintainer accounts** and shipped tainted updates that propagated quickly into downstream projects via routine dependency updates and CI/CD processes. One highlighted case was the **Shai-hulud** worm, described as a registry-native, self-propagating threat that used **stolen credentials** to inject malicious code into **hundreds of packages**, exposing **tens of thousands of downstream repositories** and complicating detection because it did not rely on external infrastructure. In parallel, commentary on generative AI’s impact on software delivery emphasized that faster code production and release pressure can increase security debt: reported industry claims that **20–30% of code** at major firms is AI-generated, alongside estimates that a large share of AI-generated code can introduce **OWASP Top 10**-class weaknesses, reinforcing the need for stronger testing and controls as development velocity increases.
Mar 21, 2026
Software Supply Chain Threats Targeting Open-Source Ecosystems and Developer Tooling
Open-source software supply chain risk continued to escalate, with reporting citing **454,600+** newly identified malicious packages across major repositories (including **PyPI, npm, Maven Central, NuGet, and Hugging Face**) and tactics ranging from **credential theft** to **multi-stage attacks** and even early **self-replicating** package malware. The activity reportedly concentrated heavily in **npm**, including high-volume “ecosystem flooding” (e.g., single accounts publishing **150,000+** malicious packages in days) and **hijacking of trusted projects**, exploiting developer reliance on superficial trust signals such as package names, READMEs, and download counts. Separately, researchers disclosed **“PackageGate”** vulnerabilities in JavaScript package managers (**npm, pnpm, vlt, and Bun**) that can bypass common post-incident defenses—namely `--ignore-scripts` and lockfile integrity—enabling malicious code execution via compromised dependencies. Koi Security reported six issues; **pnpm, vlt, and Bun** shipped fixes, while **npm** reportedly treated the behavior as expected. In parallel, threat actors abused **GitHub’s fork architecture** to distribute a spoofed *GitHub Desktop* installer promoted via search ads; execution deployed **HijackLoader** and established persistence via a **scheduled task**, underscoring that supply chain threats extend beyond package registries into developer tooling distribution channels.
Mar 21, 2026
Malicious open-source packages and developer-targeted supply chain attacks
Security researchers reported multiple **software supply chain** threats targeting developers via public package ecosystems. Tenable analyzed a malicious npm package, **`ambar-src`**, that reached roughly **50,000 downloads** in days before removal; it executed during installation via **malicious `preinstall` behavior**, used evasion techniques, and dropped OS-specific payloads for Windows, Linux, and macOS, with typosquatting assessed as the likely lure (mimicking *`ember-source`*). Separate reporting described a campaign using **malicious NuGet packages** (e.g., **NCryptYo**, **DOMOAuth2_**, **IRAOAuth2.0**, **SimpleWriter_**) that impersonated legitimate .NET libraries, executed code on assembly load, and established local proxying/backdoor behavior to facilitate credential theft and persistence in ASP.NET environments. Additional coverage warned of an npm “worm-like” propagation pattern impacting **CI pipelines and AI coding tools**, reinforcing that developer tooling and build systems are high-risk choke points where a single poisoned dependency can spread quickly across environments. While the broader set of articles also included unrelated breach, ransomware, and policy items, the developer-focused supply chain reporting consistently emphasized that **installation-time execution** and **typosquatting/impersonation** enable compromise even when developers never directly call the malicious code, and that traditional detection can lag (e.g., low initial antivirus detection rates for obfuscated .NET payloads).
Mar 21, 2026