| Package | Verdict | Details |
|---|
What package hallucination is
Large language models complete patterns. When a pattern calls for a package that handles JWT auth for FastAPI, a model will sometimes produce a plausible name whether or not anyone ever published it. In a 2024 study of 576,000 generated code samples, researchers found that close to one in five recommended packages did not exist, and collected over 200,000 unique invented names. The names repeat across users, which is the dangerous part.
Repeatable phantom names are an attack surface. Someone registers the invented package, fills it with malware, and waits for developers to install exactly what their assistant suggested. The security community calls this slopsquatting, a modern cousin of typosquatting. You do not need to be careless to get hit; you only need to trust a suggestion once.
What the verdicts mean
| Verdict | Meaning |
|---|---|
| PHANTOM | The package is not in the registry. If a tool suggested it, the name was likely invented. Never pre-create internal names publicly; a squatter can claim them. |
| DANGER | The package exists, but it is both a near-miss of a popular name and young or barely downloaded. That combination is the classic squatting profile. |
| CHECK | Registered recently, rarely downloaded, deprecated, or one edit away from a popular package. Usually fine, worth thirty seconds of review. |
| OK | Established package. This says nothing about its quality, only that it is real and not an obvious impostor. |
What this tool checks
- Every dependency in a pasted
package.json(all dependency fields),requirements.txt(specifiers, extras, and markers are handled), or source code withimportandrequirestatements. - Node built-ins and the Python standard library are recognized and skipped, including modules removed in recent Python versions such as
telnetlib. - Registration date and monthly downloads (npm) and first upload date (PyPI) for existence checks with context.
- Edit distance against several hundred of the most-installed packages in each ecosystem, to catch
reqeustsandlodahsbefore they catch you.
How to protect yourself beyond this page
- Treat dependency suggestions from AI tools as unverified input, the same way you treat their code.
- Install from lockfiles in CI, so one bad
npm installon a laptop cannot silently add a package. - Check the registry page before first install: publish date, download counts, repository link, and whether that repository actually contains the code.
- Internal package names belong in a private registry with a scoped namespace, so nobody can shadow them publicly.
Questions people ask
Does my code get uploaded?
No. Parsing happens in your browser, and the only network requests are the package name lookups sent directly to npm and PyPI. You can verify this in the network tab, and the source is small enough to read in one sitting.
My internal company package shows as PHANTOM. Is that a bug?
No, it is the expected result: the tool only sees public registries. It is also a useful prompt to check that your internal name is protected from public registration.
Why is a real package flagged as a lookalike?
Edit distance cannot read intent. Forks and legitimately similar names will occasionally trip the check. The verdict text always says what the similarity is, so you can decide in seconds.
Which ecosystems are supported?
npm and PyPI, which is where the published hallucination research concentrated and where CORS-friendly registry APIs exist. Other ecosystems are on the issue tracker.