Skip to content
| Marketplace
Sign in
Visual Studio Code>Other>AI Hallucination DetectorNew to Visual Studio Code? Get it now.
AI Hallucination Detector

AI Hallucination Detector

GhostCheck

|
2 installs
| (0) | Free
Flags AI-suggested npm imports that don't actually exist (phantom packages / slopsquatting)
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

AI Hallucination Detector

Catches "phantom packages" — cases where an AI coding assistant (Copilot, Cursor, Claude Code, etc.) confidently suggests importing an npm package that doesn't actually exist.

This is a real supply-chain risk known as slopsquatting: attackers watch for package names that AI tools commonly hallucinate, register them on npm, and fill them with malware. If you npm install a hallucinated name before checking it, you may be installing exactly that.

Demo: flagging a phantom package, hovering for an explanation, and applying the quick fix

What it does

  • Parses the active JS/TS file with the TypeScript compiler API (not regex) to find every import, require(), and dynamic import() call.
  • Checks each imported package name against a bundled list of AI-hallucinated packages documented in published security research — instantly, with no network request, since an attacker may have already registered the exact name a model tends to suggest.
  • Falls back to a live npm registry lookup for anything not already in that list, cached in memory so the same package isn't re-checked on every keystroke — only on file open/save.
  • Flags phantom packages with a diagnostic (red squiggle) and an explanatory hover message, sourced to the original research where applicable.
  • Offers a quick fix suggesting the real package name, either from the documented "what this was probably confused with" answer, or via string-similarity matching against a list of popular packages (e.g. axioz → axios).

Example

const shift = require('react-codeshift'); // flagged: documented AI hallucination (Aikido Security, Jan 2026)
const http = require('axioz');            // flagged: not on npm — quick fix suggests "axios"
const real = require('lodash');           // not flagged — real package

Status

Published on the VS Code Marketplace as an early-stage release. It currently covers phantom-package detection for JavaScript/TypeScript + npm only.

Planned next: method/API-level hallucination detection, config/CLI flag checking, and support for other language ecosystems.

Why this, and not just a vulnerability scanner?

Tools like Snyk, Socket.dev, and Aikido check whether a real package has known vulnerabilities. This checks something upstream of that: whether the package the AI just told you to install is real in the first place — live, in the editor, before you ever run npm install.

Issues & feedback

This repository is for documentation and issue tracking. Please open an issue here for bugs, feature requests, or to report a package name that should be added to the known-hallucination list.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft