News
HalluSquatting: Researchers Show How AI Hallucinations Open the Door to Botnets

Researchers from Tel Aviv University and Technion have described a technique called HalluSquatting, in which attackers register package and repository names invented by AI models, betting that a coding agent will fetch them on its own. In tests, the method worked against Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, and the OpenClaw family of assistants.
A team of researchers from Tel Aviv University, Technion, and Intuit has described a new attack technique targeting AI coding assistants, called HalluSquatting. Instead of breaking into a system or tricking a victim into clicking a malicious link, attackers simply predict which package, repository, or plugin name a language model will invent once it starts hallucinating, then register it first.
The mechanism exploits a known but so far poorly studied weakness of large language models: their tendency to invent nonexistent but plausible-sounding resource names. When a coding assistant is asked to clone a repository, install a package, or pull in an additional plugin, the model sometimes provides a path or name that never existed. Normally, such an operation simply fails with an error. The problem starts when someone has already registered that invented name and placed malicious code under it.
How the Trap Works
Unlike classic prompt injection, which requires some channel of contact with the victim, a malicious email, message, or crafted webpage, HalluSquatting needs no direct access to the targeted system at all. It's enough for an attacker to work out which names a given model most often hallucinates in specific scenarios, then claim those names in public package registries or repositories. The rest happens on its own once an unsuspecting user asks the agent to perform a routine task.
The researchers stress that these hallucinations are surprisingly repeatable, recurring regardless of the underlying model or the exact wording of the prompt. That means attackers don't have to stumble onto random errors: they can systematically map which names a given type of query most often produces, then register them in advance at scale.
Scale of the Threat
In tests run by the Tel Aviv team, the hallucination rate for repository cloning reached 85 percent, and for installing so-called skills, modular extensions of agent functionality, it climbed as high as 100 percent. The attack was verified against six popular tools: Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, and the OpenClaw family of assistants. In every case, the researchers managed to trigger execution of attacker-controlled code.
The attack requires no direct access to the target system, unlike classic prompt injection based on channels such as email or messaging - from the description by researchers at Tel Aviv University and Technion
The most worrying part is the potential for scale. Because a single registered hallucinated name can be queried by thousands of coding agent instances worldwide, the researchers warn the mechanism could be used to build botnets for DDoS attacks, cryptocurrency mining, or even automated ransomware campaigns. As coding assistants gain ever broader access to the terminal and file system, they themselves become part of the attack surface, one that needs to be secured just as seriously as traditional network infrastructure.
What It Means for Poland
For Polish development teams increasingly rolling out agentic coding tools in their daily work, HalluSquatting is a reminder that automatically executing model-generated commands without verifying their source is a real security risk, not just an academic curiosity. The countermeasures recommended by the researchers, forcing a lookup and confirmation of a resource before downloading it, disabling autonomous auto-run mode, and validating package and repository names, should become a standard part of configuring tools such as Cursor, Copilot, or Gemini CLI in corporate development environments.
The study comes a week after the disclosure of another flaw, GhostApproval, which allowed attackers to bypass the safeguards of six coding assistants using symbolic-link tricks and gain SSH access. Together, the two cases show that platform makers for AI agents must reckon with a growing number of specialized attacks that target the autonomy of these tools rather than classic code vulnerabilities.
Platforms such as GitHub, along with the npm and PyPI package registries, have already dealt with typosquatting, the practice of registering names deceptively similar to popular libraries. HalluSquatting takes the same mechanism to a new level: instead of counting on human error, the attacker counts on a predictable machine error, which makes defense harder, since classic allowlists of trusted names offer no protection against a resource that formally never existed.
Sources: The Hacker News (thehackernews.com), Decrypt (decrypt.co), SC Media (scworld.com)

