Detection accuracy

The 135-package benchmark, disclosed

The landing page claims 100% recall and 0 false positives on hallucinated package names. Here is the full methodology, the dataset, and the honest caveats — so you can judge the number instead of trusting it.

Last measured: 2026-07-03

What this measures — and what it doesn't

This benchmark measures one narrow thing: does Graneth correctly tell a real package name from an AI-hallucinated, slopsquatted, or typosquatted one? It is not a measurement of SAST quality, vulnerability detection, or any other part of the scanning pipeline — only package-name verification against live npm and PyPI registries.

Headline results
100%
Recall
65 / 65 hallucinated or bad names caught — 0 false negatives
0%
False-positive rate
0 / 70 real packages wrongly flagged
100%
Precision
Every flagged name in this sample was actually bad
Confusion matrix
OutcomeCountMeaning
TP65Hallucinated/bad name, correctly flagged
FN0Hallucinated/bad name, missed
TN66Real package, correctly passed
FP0Real package, wrongly flagged
Unverified4Real package — registry lookup transiently unreachable during the run, reported honestly as a third state
Dataset composition — n = 135
CountCategorySource
35Known AI-hallucination seed setLanyado et al., USENIX Security 2024/25; CSA advisory
2Published real-world hallucinations, not in the seed setLasso Security's huggingface-cli PoC; Socket.dev's react-codeshift case
3Historical typosquat takedownscrossenv, python3-dateutil, jeIlyfish — Snyk / Check Point write-ups
25Evaluator-fabricated names — the generalization testMimics the “popular-lib + generic-suffix” hallucination pattern; each verified 404 before inclusion; never seen by the detector before this run — all 25 caught
66Real, popular packages — true negativesLive npm / PyPI registries
4Real “near-miss” edge cases, 1 edit from a famous namee.g. jsdoc vs. jsdom
Methodology

These numbers come from running Graneth's real production detector — the exact code path a live scan uses — against this labelled sample, checked against the live npm and PyPI registries. Nothing here is a mock or a synthetic stand-in for the detector.

The sample combines known AI-hallucination research data, two independently published real-world hallucination incidents, three historical typosquat takedowns, and 25 names the evaluator fabricated specifically to test generalization: names built to mimic the same “popular library + generic suffix” pattern hallucinated by AI coding agents, each confirmed to 404 on its registry before being added, so none were accidentally real.

The result: all 65 hallucinated or bad names were flagged (100% recall, 0 false negatives) — including all 25 names the detector had never seen, which is the generalization signal that matters more than the headline number — and none of the 70 real packages, including 4 real near-miss edge cases, were wrongly flagged (0% false-positive rate).

Honest caveats

Narrow claim. This measures detection of AI-hallucinated, slopsquatted, and typosquatted package names — whether a dependency exists, or is a near-miss of a real one. It says nothing about SAST quality, vulnerability detection, or any other part of Graneth's scanning pipeline.

Sample, not exhaustion. 135 labelled packages is a sample, not an exhaustive benchmark. A 100% result on this sample is not a guarantee against every hallucinated name that could ever appear.

“Unverified” is a real third state. On this run, 4 real edge-case packages returned “adoption unverified” because the registry's downloads endpoint was transiently unreachable — reported honestly as unverified, never silently counted as a false positive or a false pass. The number that comes back unverified varies run to run with transient network conditions; it is not a fixed property of the detector.

Not independently reproducible today. The benchmark harness and dataset live in a private repository, so this isn't an open, run-it-yourself benchmark. What we disclose instead is the full methodology, the exact numbers, and the dataset composition and sources below, so the result is judgeable even though the harness isn't public.

No guarantees. “100% recall” describes this measured sample on this date — not a promise that Graneth catches every hallucinated package name, in every case, forever.

Sources
  • Lanyado, B. et al. — AI package hallucination research, USENIX Security 2024/25
  • Cloud Security Alliance (CSA) — advisory on AI-hallucinated package names
  • Lasso Security — huggingface-cli hallucinated-package proof-of-concept
  • Socket.dev — react-codeshift hallucinated-package case study
  • Snyk — typosquat write-ups (crossenv, python3-dateutil)
  • Check Point Research — typosquat write-up (jeIlyfish)