{
  "id": "ai-invents-fake-npm-packages",
  "type": "failures",
  "category": "failures",
  "locale": "en",
  "url": "/failures/ai-invents-fake-npm-packages",
  "title": "How to Fix AI Coding Agents Inventing Fake npm Packages",
  "description": "Why AI agents hallucinate npm packages that don't exist, how to spot it, and how to stop it.",
  "tools": [
    "Cursor",
    "Claude Code",
    "Codex"
  ],
  "stack": [
    "TypeScript"
  ],
  "tags": [
    "dependencies",
    "hallucination",
    "security"
  ],
  "difficulty": null,
  "updated": "2026-06-08",
  "markdown": "A common and dangerous failure: the agent imports a package that does not exist —\nor worse, one a squatter has registered to match the hallucinated name.\n\n## The symptom\n\nThe agent writes an import for a plausible-sounding package and adds it to\n`package.json`, but install fails or pulls an unknown package.\n\n```txt\nimport { magicValidate } from \"zod-magic-helpers\"; // does not exist\n```\n\n## Why it happens\n\nModels pattern-match on naming conventions (\"there's probably a `-helpers`\npackage\") and generate names that *sound* real. This is the basis of\n\"slopsquatting\" supply-chain attacks.\n\n## How to spot it\n\n- A dependency you don't recognise appears in the diff.\n- The package has near-zero downloads or was published very recently.\n- Install resolves a name that's one character off a popular package.\n\n## How to fix it\n\n```txt\n[ ] Verify every new dependency exists and is the one you intend\n[ ] Check weekly downloads + repo link before installing\n[ ] Prefer packages already in the lockfile\n[ ] Pin versions; review the lockfile diff\n```\n\n## Fix Prompt\n\n```txt title=\"Fix Prompt\"\nYou added a dependency I can't verify. List every new package, its npm URL,\nand weekly download count. Replace any unverified package with a standard,\nwidely-used alternative or inline the logic instead.\n```\n\n## Test\n\n```bash\nbun pm view <package> 2>/dev/null || echo \"DOES NOT EXIST\"\n```"
}