Every dependency you ship is an attack surface. The average Node.js project has 686 packages; a single vulnerable transitive dependency can expose your entire application. Standard CVE scanners like `npm audit` catch known vulnerabilities — but they miss the category that's growing fastest in 2026: AI-hallucinated packages.
LLMs suggest non-existent npm and PyPI packages in 5–20% of coding tasks. Attackers register those names with malicious payloads — a technique called slopsquatting. With 51% of GitHub commits now AI-assisted, the attack surface for this vector is enormous and most `npm audit` runs will never catch it.
GitIntel adds a hallucination-risk layer to standard vulnerability scanning: it cross-references your dependency list against known AI-suggested phantom packages and flags packages with low download counts, recent registration dates, or names that pattern-match known AI fabrication patterns. Combined with CVE detection, it gives you a more complete picture of supply chain risk.
Run `gitintel scan` in any project directory. The output separates known CVEs, outdated packages, and hallucination-risk packages into distinct severity buckets with remediation steps.