Confirm every package your AI added is real - shippingszn launch readiness
AI builders sometimes 'hallucinate' a package — they confidently import a library name that doesn't exist. Attackers have figured out which fake names the AIs invent most often and registered those names with malicious code, so when you (or your AI) run install, you get the attacker's package instead of a helpful one.
This is a real, growing attack aimed squarely at AI-built apps. Studies found roughly a fifth of AI-recommended packages don't exist, and the same fakes get suggested over and over — predictable enough for attackers to camp on. In late 2025 a self-propagating malicious package spread through hundreds of repos this way, with nobody deliberately installing it. A regular vulnerability scanner won't catch it, because a brand-new malicious package has no known-vulnerability history yet.
The shippingszn CLI includes automated checks for this launch-readiness control.
The Launch Fix Kit keeps scan-specific findings, file and line evidence, AI-builder punch-list tasks, and verification steps tied to the paid report.
- List every dependency in your package.json / requirements.txt / go.mod and your lockfile.
- For each one, confirm it exists on the real registry and looks legitimate — reasonable download counts, a real maintainer, a publish history, not a package created last week with 12 downloads.
- Be suspicious of names that are one character off a popular package, or that look like two real libraries mashed together.
- Remove any dependency you don't actually use — every extra package is extra risk.
- Pin your lockfile (commit package-lock.json / pnpm-lock.yaml / yarn.lock) so the exact resolved versions are locked and can't silently change.
Run the scanner | Unlock Launch Fix Kit
Canonical URL: https://shippingszn.com/i/dependency-integrity/