Never in all my life did I imagine I had that headline in me, and yet, here we are. With that acknowledgement aside, let’s get straight into it. Slopsquatting. That’s the cybersecurity term if not ‘du jour’, well, then certainly the one catching my attention and funny bone right now. But, as always in cybersecurity, that which starts out amusing often surfaces a darker side and fast.
Before we tackle that neologism for the ages, lets rewind to a much more relatable example. Put yourself back behind the keyboard when you were, say, deal hunting for artisanal coffee beans or maybe a vintage lava lamp. All it took was one wrongly keyed letter and rather than ‘CoffeeEmporium.com,’ you entered ‘CofeeEmporium.com’.
Not only is/was that a very easy mistake to make, but bam! You were greeted by a page hawking discount socks or (sometimes) worse.
While you may not have known it then (or, come to think of it, even now) you’d just stumbled into the wild, wacky world of typosquatting. All it is, really, is some cunning individual who has had the foresight to register an awfully similar domain for a bit of bait ‘n switch action, making you the meat in a typo sandwich.
At this point I’m not 100% sure which is worse, that miscreants do this, or that it works.
Anyway, typosquatting has now become the spiritual graddaddy to the infinitely more…something? Amusing? Fascinating?…slopsquatting.
Let’s go boldly, then, into slopsquatting, first by noting that the word itself conjures imagery of rejected dishes from medieval taverns.
It may or may not help that slopsquatting (admit it, that’s an awesome name) is a product of vibe coding. That’s AI assisted programming where it’s just you, your thoughts, and a supposedly sentient bot working together and talking it out, with complete applications popping out some other end.
Let’s say, and as has happened in the field, your AI programming assistant confidently spits out a package ‘secure-auth-lib’. Off you go and install it.
Problem is, the package doesn’t exist. Instead of a cunning individual doing clever things with URLs, the cunning AI hallucinated the package into being.
You can see where this is going. Sloppy vide coding, sloppy use of AI, sloppy software package doesn’t exist, but it’s specified in the code.
As one might (accurately) imagine, the ‘slop’ part comes from low-quality, error-prone output of large language models (LLMs). The squatting bit?
Like many cybersecurity problems, it’s only an issue in theory at the minute, because the problem and the name for it is brand new. Right now, the theory goes that hackers could register fake (slop) packages on repositories like PyPI or npm, lace them with malware or backdoors, and Bob’s your uncle. The unsuspecting developer following AI suggestion might unwittingly invite the digital equivalent of a Trojan horse into their code.
Who are these unsuspecting programmers? As AI rolls out everywhere, we’re seeing folks in all walks of life caught out. Programmers aren’t immune. And despite decades of bad software quality horror stories, vibe coding is carving out a handy niche for those who reckon the heavy lifting can be entrusted to The Machines. A very recent study gaining traction in the media found 205,000 unique hallucinated package names across major LLMs, with open-source models being the worst offenders.
My guess is it won’t be long before slopsquatting goes from knee slapper to serious problem.
Still. We can probably enjoy the joke for now. While pondering exactly who it is on.