Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI package hallucinations: what security teams need to do now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9016
Topic starter  

TL;DR: Large language models still recommend nonexistent packages at material rates, with 24.2% hallucinations in GPT-4, 22.2% in GPT-3.5, 64.5% in Gemini, and 29.1% in Cohere across 47,803 how-to prompts, according to Lasso Security research. The risk is not just bad answers, but a poisoned dependency path that security and engineering teams must validate before code reaches production.

NHIMG editorial — based on content published by Lasso Security: Diving Deeper into AI Package Hallucinations

By the numbers:

Questions worth separating out

Q: What is the biggest risk when developers rely on LLMs for package recommendations?

A: The biggest risk is that the model invents a package that sounds legitimate, and the developer treats it as real.

Q: Why do hallucinated packages create supply-chain risk even when the model is not directly compromised?

A: Because the attacker does not need to break the model to exploit the output.

Q: How can security teams tell whether AI-generated package suggestions are being trusted too much?

A: Look for invented dependency names in code, tickets, build scripts, and chat threads, then trace whether they were ever validated against a registry or approved source.

Practitioner guidance

  • Verify every AI-suggested dependency against a trusted registry Check package existence, maintainer identity, release history, and repository ownership before accepting any model-recommended dependency into code, documentation, or a ticket.
  • Add a provenance gate before installation Block builds unless the package comes from an approved source, has a verifiable signature or checksum, and matches an internal allowlist for the language ecosystem in use.
  • Train developers to cross-check model output Make AI-generated package names part of secure coding review.

What's in the full report

Lasso Security's full research covers the operational detail this post intentionally leaves for the source:

  • The full experimental setup across 47,803 how-to questions and four LLMs, including language-by-language methodology.
  • The per-model breakdown of hallucinated package rates and repetitiveness across GPT-4, GPT-3.5, Gemini, and Cohere.
  • The cross-model intersection analysis showing which hallucinated packages recurred across multiple systems.
  • The case-study notes on the fake package test and the GitHub repository search that surfaced real-world adoption.

👉 Read Lasso Security's research on AI package hallucinations and supply-chain risk →

AI package hallucinations: what security teams need to do now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8472
 

AI package hallucination is a supply-chain trust failure, not a content-quality bug. The article shows that model output can create false dependencies that developers may search for, install, or document. That shifts the attack surface from language generation into software acquisition and build-time trust. The practitioner implication is simple: any AI-suggested package must be treated as untrusted until provenance is independently confirmed.

A few things that frame the scale:

  • 52 real-world breaches show that identity failures become exploitable when trust is granted before provenance is verified, according to The 52 NHI breaches Report.
  • In our research, supply-chain and secret exposure patterns recur across many incidents, which is why package validation must be treated as a governance control, not a developer preference.

A question worth separating out:

Q: What should organisations do before allowing AI-generated dependencies into production?

A: They should require a controlled approval workflow that checks package existence, maintainer identity, signature or checksum, and vulnerability history. That workflow should sit between model output and installation so an invented package cannot move directly into production tooling or release pipelines.

👉 Read our full editorial: AI package hallucinations are creating a new supply-chain risk



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8472
 

AI package hallucination is a supply-chain trust failure, not a content-quality bug. The article shows that model output can create false dependencies that developers may search for, install, or document. That shifts the attack surface from language generation into software acquisition and build-time trust. The practitioner implication is simple: any AI-suggested package must be treated as untrusted until provenance is independently confirmed.

A few things that frame the scale:

  • 52 real-world breaches show that identity failures become exploitable when trust is granted before provenance is verified, according to The 52 NHI breaches Report.
  • In our research, supply-chain and secret exposure patterns recur across many incidents, which is why package validation must be treated as a governance control, not a developer preference.

A question worth separating out:

Q: What should organisations do before allowing AI-generated dependencies into production?

A: They should require a controlled approval workflow that checks package existence, maintainer identity, signature or checksum, and vulnerability history. That workflow should sit between model output and installation so an invented package cannot move directly into production tooling or release pipelines.

👉 Read our full editorial: AI package hallucinations are creating a new supply-chain risk



   
ReplyQuote
Share: