Sonatype releases AI coding security solution… removes 27% of fake packages

As AI coding assistant tools evolve, development speed is accelerating, but security risks are also increasing. In response, software supply chain security specialist Sonatype has introduced a new solution. On the 9th (local time), Sonatype officially launched “Sonatype Guide,” designed to help developers leverage AI to build more secure, high-quality open-source software. The platform automatically integrates with AI coding assistant tools to help eliminate fragile or non-existent packages, using only reliability-verified dependencies.

Sonatype pointed out that current AI models are often trained on open-source repositories from months or even years ago, frequently generating unrealistic erroneous code or “phantom packages.” According to Sonatype’s upcoming research, mainstream generative AI models recommend non-existent open-source components up to 27% of the time. This can lead to rework for developers, wasted LLM tokens, and even security threats.

Sonatype Guide addresses these issues by providing trusted references at the design stage and automating dependency management. Pre-test results for enterprises showed a security performance improvement of over 300% and a significant reduction in the resources needed for security patches. At the same time, compared to existing solutions, dependency upgrade costs dropped by more than five times.

Sonatype CEO Bhagwat Swaroop emphasized, “For all organizations seeking to maximize productivity, AI is an attractive tool, but not at the expense of security or maintainability. Guide gives AI coding tools ‘eyes,’ enabling them to make wiser, more prudent choices. This will be a leap forward for the industry.”

Sonatype Guide is compatible with mainstream AI coding platforms including GitHub Copilot, Google Antigravity, AWS Q, and IntelliJ-based Juni, without requiring changes to existing workflows or IDE environments. Its core technology is the “Model Context Protocol Server (MCP),” which can intercept package recommendations in real time as developers write code, guiding the use of secure and reliable verified packages. It also provides enterprise-level open-source search functionality and comprehensive API support, making it flexible for various enterprise sizes and architectures.

The newly released Guide is based on “Sonatype Intelligence” technology, capable of proactively identifying vulnerabilities, malicious packages, deprecated projects, and more through real-time data analysis. By embedding an intelligent engine into the AI decision-making process, it guides developers to make safer, more reliable technical choices early on.

As AI-based software development becomes widespread, developer productivity is forming a new paradigm, but concerns about security and quality are also mounting. Against this backdrop, Sonatype Guide is expected to become a strategic solution to help enterprises overcome AI application challenges and continue to innovate on a foundation of secure code.