AI Agents Expose Ghost Dependencies In Software Supply Chains

Tianchu Chen of Tencent Xuanwu Lab reports that agentic coding workflows enable a class of software supply-chain risks termed "Ghost Dependencies," where LLMs introduce outdated component versions and fabricate non-existent package names. Experiments show hallucination rates up to 40% and frequent outdated versions, and the team proposes a Pre-Execution Hooks defense and publishes a plugin, Atuin, on Tencent Cloud CodeBuddy.