This non-CVE item (priority 0.502, severity medium) describes a systemic supply chain risk in software development pipelines using AI coding assistants (GitHub Copilot, Cursor, Claude, ChatGPT, Gemini, and similar) that may generate hallucinated package names exploitable via dependency confusion. The risk is not vendor-specific but affects any organization whose CI/CD pipelines consume AI-generated dependency recommendations without independent verification. Security teams should audit AI assistant usage in development workflows, enforce SCA tooling on all pull requests, and require package provenance verification before installation of any AI-recommended dependency.