⚠️ SECURITY RESEARCH PROJECT ⚠️

GitHub: github.com/groovecoder/arangoql NPM: npmjs.com/package/arangoql

This is a proof-of-concept demonstrating "slopsquatting" - a supply chain attack vector where:

1. An LLM (like ChatGPT, Claude, etc.) hallucinates a package name
2. A developer trusts the LLM and runs npm install <hallucinated-name>
3. An attacker has registered that hallucinated name with malicious code
4. The malicious code runs on the developer's machine

This package is harmless - it only displays a warning message. But it proves that if you installed this by mistake, malicious code could have:

• Stolen your environment variables (API keys, secrets)
• Exfiltrated source code
• Modified your files
• Installed backdoors

If an LLM suggested you install "arangoql" for ArangoDB support, it likely meant the official package: arangojs

To fix this:

npm uninstall arangoql
npm install arangojs

If you intentionally want to use this proof-of-concept:

const ArangoQL = require('arangoql');

const db = new ArangoQL({
  url: 'http://localhost:8529',
  database: '_system',
  username: 'root',
  password: ''
});

// Execute AQL queries
const result = await db.query('FOR doc IN myCollection RETURN doc');

// Work with collections
const users = db.collection('users');
await users.save({ name: 'Alice', age: 30 });
await users.find({ name: 'Alice' });
await users.remove('user-key');

Note: This is a minimal implementation. For production use, use the official arangojs package.

• LLMs are increasingly used for coding assistance
• They sometimes "hallucinate" package names that don't exist
• Developers often trust and execute LLM suggestions without verification
• Attackers can register these hallucinated names preemptively

• Typosquatting: crossenv instead of cross-env (malicious version downloaded 700k+ times)
• Dependency confusion attacks on major companies
• Supply chain compromises through package registries

1. Verify package names - Check npm before installing
2. Review install scripts - Check package.json for postinstall hooks
3. Check package stats - Look at download counts, age, and maintainers
4. Use lock files - Prevent unexpected package resolution
5. Audit dependencies - Use tools like npm audit and Snyk
6. Don't blindly trust LLMs - Verify all suggestions

• OWASP: Dependency Confusion
• Snyk: Typosquatting Attacks
• NPM: Security Best Practices

MIT License - This is an educational/research project.

Found a way to improve this proof-of-concept? Pull requests welcome!

Visit the repository: github.com/groovecoder/arangoql

This package is for educational and research purposes only. It contains no malicious code and only displays warning messages. The author is not responsible for misuse of this concept.