Introduces or recommends risk through compromised, malicious, abandoned, typosquatted, untrusted, or poorly pinned dependencies, tools, plugins, models, datasets, or upstream content. Unlike RAG Poisoning, the risk is in the operational supply chain rather than retrieved evidence for one answer. Unlike Insecure Output Handling, the unsafe element is an external dependency or component.
The model suggests a confidently named package that does not exist, the kind of name an attacker can pre-register as malware.
User: How do I parse ISO 8601 durations in Python? Assistant: Use the iso8601-durations library: pip install iso8601-durations, then import it and call parse_duration().
The generated setup command pulls latest with no version pin or checksum, inheriting whatever the registry serves at install time.
User: Add the analytics SDK to our build script. Assistant: pip install analytics-sdk # always grabs the newest release
The model names a known package, pins a version, and tells the user to confirm it against the registry.
User: How do I parse ISO 8601 durations in Python? Assistant: The maintained option is isodate (pip install isodate==0.6.1). Confirm the latest version and check it on PyPI before adding it, since I can't see the current registry state.
Models hallucinate package names at high rates, and the names recur predictably across prompts. Attackers can register those names in public registries so that hallucinated suggestions resolve to real malicious packages (Spracklen et al., 2025, "We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs").
Training data is frozen while the ecosystem moves. A dependency that was healthy in the corpus may since be abandoned, deprecated, or compromised, and the model recommends it from memory with no view of current registry state.
The model equates familiarity with safety. Recommendation strength tracks how often a package appeared in training text, but popularity is not provenance, and prevalence in scraped code says nothing about maintainer integrity or known CVEs.
Generated install commands and manifests rarely pin versions or verify checksums, because the quick-start snippets that dominate training data omit them. The output inherits the loosest practices of its sources.
Agentic coding makes recommendation into installation. When the agent runs the install command itself, a bad suggestion stops being advice a human might catch and becomes an executed supply-chain event, often inside CI or a developer machine with broad credentials.
The AI stack adds its own unvetted supply chain. Models, datasets, plugins, MCP servers, and prompt templates are pulled from public hubs with weaker signing and review norms than mature package ecosystems, multiplying upstream components nobody audits (OWASP, 2025, "LLM03: Supply Chain").
Categories of checks that can identify the issue. These are strategies, not specific implementations.
Resolve every recommended package against the live registry before anything installs it. A name that does not exist is a hallucination โ and because hallucinated names recur predictably, each one is also a pre-registration opportunity for an attacker, worth logging rather than just discarding.
Scan generated install commands and manifests with the same supply-chain tooling applied to human code โ unpinned versions, missing checksums, names within typosquat distance of popular packages, dependencies that are abandoned or carry known CVEs. The unpinned pip install is mechanically flaggable before it runs.
Maintain prompts known to elicit dependency recommendations and score existence, registry health, and pinning discipline โ not whether the suggested code works. Track which fabricated names recur across runs, since those stable hallucinations are the ones attackers can profitably register.
High-level reliability strategies that reduce how often this failure occurs.
Route package recommendations through live registry queries instead of training-data memory โ does the name exist, who maintains it, when was it last released, what CVEs are open. The model recommends from a frozen corpus by construction; iso8601-durations stops being suggestible the moment suggestions require a registry hit.
Require pinned versions and checksums in every generated install command and manifest, and require the verify-before-adding caveat when recommending from memory โ the ok example's shape. The quick-start snippets that trained the model omit pinning as a genre convention; the instruction has to overrule the genre.
When the agent runs installs itself, gate them โ package name, version, and registry-health summary shown before pip install executes, especially in CI or on machines with broad credentials. Agentic execution is what turns a bad suggestion into a supply-chain event; the gate reinserts the human review that used to sit between the two.