Popular AI code assistants try to call non-existent libraries. But what happens if attackers actually create them?