How to Fix AI Coding Agents Inventing Fake npm Packages

A common and dangerous failure: the agent imports a package that does not exist — or worse, one a squatter has registered to match the hallucinated name.

The symptom

The agent writes an import for a plausible-sounding package and adds it to package.json, but install fails or pulls an unknown package.

import { magicValidate } from "zod-magic-helpers"; // does not exist

Why it happens

Models pattern-match on naming conventions (“there’s probably a -helpers package”) and generate names that sound real. This is the basis of “slopsquatting” supply-chain attacks.

How to spot it

• A dependency you don’t recognise appears in the diff.
• The package has near-zero downloads or was published very recently.
• Install resolves a name that’s one character off a popular package.

How to fix it

[ ] Verify every new dependency exists and is the one you intend
[ ] Check weekly downloads + repo link before installing
[ ] Prefer packages already in the lockfile
[ ] Pin versions; review the lockfile diff

Fix Prompt

You added a dependency I can't verify. List every new package, its npm URL,
and weekly download count. Replace any unverified package with a standard,
widely-used alternative or inline the logic instead.

Test

bun pm view <package> 2>/dev/null || echo "DOES NOT EXIST"