Search papers, labs, and topics across Lattice.
The paper introduces Neutral Prompting Attacks (NPA), a novel method to subtly increase package hallucination in LLM-powered coding agents by using semantically benign instructions like encouraging imagination. NPA shifts the model's dependency generation towards more speculative package names, increasing both Hallucination Attack Success Rate (ASR) and Pip Install ASR. Experiments across multiple coding-oriented LLMs demonstrate that NPA effectively evades existing defenses, highlighting a significant software supply chain risk.
Seemingly harmless prompts like "imagine all possibilities" can covertly steer LLMs to hallucinate software packages, creating a stealthy attack vector that bypasses existing defenses.
LLM-powered coding agents increasingly participate in software development workflows by generating code, selecting dependencies, and producing package installation commands. This creates a new software supply chain risk: when an agent hallucinates a non-existent package, an attacker may register the hallucinated name and later compromise users who install it. Existing package hallucination attacks and defenses primarily focus on naturally occurring hallucinations, targeted dependency steering, or post-hoc package validation. In this paper, we introduce \emph{Neutral Prompting Attack} (NPA), a highly stealthy attack paradigm in which semantically benign instructions, such as encouraging imagination and exhaustiveness, increase package hallucination propensity without containing explicit malicious intent. Unlike targeted dependency steering, NPA does not specify an attacker-chosen package. Instead, it shifts the model's dependency generation behavior toward more speculative package names. We evaluate NPA across multiple coding-oriented LLMs and package hallucination benchmarks. Our results show that NPA increases both \emph{Hallucination ASR} and \emph{Pip Install ASR}, changes the distribution of hallucinated package names, and evades existing static-analysis, LLM-based, and agent-based Skill defenses. These findings reveal that harmless-looking prompts can covertly manipulate hallucination behavior and create downstream software supply chain risks.
