Large language models invent software package names that do not exist. The worry, called slopsquatting, is that an attacker registers one of those invented names and waits for a developer, or an AI coding agent, to install it on the model's say-so. Nearly every study of slopsquatting has measured the same thing: how often the models hallucinate. This work measures the step that actually decides whether anyone gets hurt: of the names the models invent, how many has anyone registered, and when a hallucinated name is claimed, what for? The short version, across five models and 6,800 tries: the invented names are essentially never claimed by anyone, and the few hallucinated names that do get claimed are not attacks.
Inventing names never runs out
Five open-weight code models, asked for ordinary Python and JavaScript, produced 1,641 distinct package names that do not exist on npm or PyPI. The supply did not run dry. A second batch of 2,000 fresh generations still turned up 455 names never seen before, at nearly the same rate as the first. The pool of plausible, invented names a model will hand a developer is, for practical purposes, endless.
None of them are claimed
Inventing a name is exposure, not harm. A hallucinated name is only dangerous once someone registers it, so we followed all 1,641 of them to the registry and checked. Every single one is still unregistered. Not one has been claimed by anyone, defender or attacker. These are the names an attacker would have to think of independently, and they are sitting there untouched.
The names that are claimed are not attacks
To see what happens when a hallucinated name does get registered, we turned to names that have circulated publicly long enough to draw attention, 149 of them from published datasets. 22 are registered. For each, we pulled its real first-registration date and read its contents as text, without ever running the code. None are malicious. 19 of the 22 are one anonymous person quietly registering harmless placeholders, every one labeled "benign slopsquatting research package." The other three are an unrelated real tool whose name happens to collide, a personal name reservation, and a typosquat from 2019 that predates the whole idea.
The attack still works, it just isn't happening
None of this means the threat is imaginary. In a sealed, offline lab we confirmed the part that makes slopsquatting dangerous: a package can run code the instant it is installed, before it is ever imported. We showed it with a harmless package of our own, on both npm and PyPI. Had that package belonged to an attacker, their code would have run on the victim's machine at install time. The mechanism is real. What is missing, so far, is anyone bothering to register the names.
What this does and does not show
This is a snapshot, and its limits matter. Zero malicious is not zero risk: one weaponized package could still spread, and a benign placeholder can be updated into a harmful version later under the same name. The registered sample is small and drawn from public lists, which is exactly where defenders look first, and our corpus comes from our own prompts rather than live coding-agent traffic, so it is a controlled proxy for the real world, not a capture of it. What the numbers do support is narrower, and more useful, than the usual alarm: the names these models invent are, for now, sitting unclaimed, and among the hallucinated names that have circulated publicly and been claimed, none are malicious. The full method, every number, and every caveat are in the paper.