Application Modernisation · Deep dive 03

AI on a legacy codebase: real speed, real footguns

AI genuinely accelerates work on old code. It also invents packages that do not exist. How we get the speed without importing the failure modes.

Draft outline · Productivity / delivery lens
The anchor

A 2025 USENIX Security study found roughly 20% of packages recommended by LLMs do not exist, giving rise to slopsquatting (attackers pre-registering the hallucinated names), and research found AI-assisted repositories leaked secrets at a higher rate. The upside is real, so the piece is about capturing it safely, not refusing it.

Sources we build on
Primary
USENIX Security: package-hallucination study

Peer-reviewed measurement of how often LLMs invent dependencies, across 16 models.

Journalism
The Register / Ars on slopsquatting

Independent reporting on how hallucinated packages become a live supply-chain attack.

Article outline
  1. Why AI helps on legacy code. Comprehension, test generation, mechanical refactors.
  2. The hallucinated dependency. How ~20% phantom packages become slopsquatting.
  3. Secret leakage and other footguns. Where AI assistance quietly increases risk.
  4. Our guardrails. Provenance, SBOMs, dependency pinning, human review, sandboxing.
  5. Where we do not use it. The parts of a government codebase we keep hands-on.
How it aligns to what we do

The clearest not-just-security piece: it leads with productivity and delivery, treating AI as a genuine accelerator, then is honest about the failure modes. That balance is exactly the sceptical-practitioner tone the brand wants, and it differentiates us from both AI hype and AI fear.

Points to hit
Control it ratifies
ISM / E8 Supports ISM secure-software-development and supply-chain guidance; not a single-control piece, more an engineering-assurance stance.