# How to Fix AI Coding Agents Inventing Fake npm Packages

> Why AI agents hallucinate npm packages that don't exist, how to spot it, and how to stop it.

**Type:** Failure  
**Tools:** Cursor, Claude Code, Codex  
**Stack:** TypeScript  
**Updated:** 2026-06-08

---

A common and dangerous failure: the agent imports a package that does not exist —
or worse, one a squatter has registered to match the hallucinated name.

## The symptom

The agent writes an import for a plausible-sounding package and adds it to
`package.json`, but install fails or pulls an unknown package.

```txt
import { magicValidate } from "zod-magic-helpers"; // does not exist
```

## Why it happens

Models pattern-match on naming conventions ("there's probably a `-helpers`
package") and generate names that *sound* real. This is the basis of
"slopsquatting" supply-chain attacks.

## How to spot it

- A dependency you don't recognise appears in the diff.
- The package has near-zero downloads or was published very recently.
- Install resolves a name that's one character off a popular package.

## How to fix it

```txt
[ ] Verify every new dependency exists and is the one you intend
[ ] Check weekly downloads + repo link before installing
[ ] Prefer packages already in the lockfile
[ ] Pin versions; review the lockfile diff
```

## Fix Prompt

```txt title="Fix Prompt"
You added a dependency I can't verify. List every new package, its npm URL,
and weekly download count. Replace any unverified package with a standard,
widely-used alternative or inline the logic instead.
```

## Test

```bash
bun pm view <package> 2>/dev/null || echo "DOES NOT EXIST"
```