Friday, July 10, 2026

News

Researchers Break Nine AI Coding Assistants With HalluSquatting Attack

CodingPatryk Raba

Researchers from Tel Aviv University, the Technion and Intuit have detailed HalluSquatting, a technique in which attackers register fake resources that AI models predictably hallucinate, hijacking coding assistants with success rates of up to 100 percent.

Contents
  1. How the attack works
  2. Scale of the vulnerability
  3. From hallucination to botnet
  4. What developers can do

A team of researchers from Tel Aviv University, the Technion and Intuit has described a new attack technique called HalluSquatting that can hijack AI-based coding assistants by exploiting their tendency to hallucinate. In tests, the attack succeeded in up to 100 percent of attempts.

The publication comes at a time when coding assistants increasingly clone repositories, install packages and run tools on their own on behalf of developers. The researchers show that this autonomy, combined with models' tendency to make up resource names, creates a new attack surface.

How the attack works

The mechanism relies on the observation that language models predictably invent names of repositories, packages or plugins when they don't know the exact answer. Attackers register these hallucinated addresses in advance on real services and plant malicious code inside them.

When a user asks an AI assistant to, for example, clone a repository or install an extension, the model may reference a made-up but actually existing resource prepared by the attacker. The malicious content then hijacks the agent's context and executes commands on its behalf.

Scale of the vulnerability

The researchers tested nine popular agentic AI tools, including Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline and Gemini CLI, as well as the OpenClaw, ZeroClaw and NanoClaw agents. In repository-cloning scenarios the attack succeeded up to 85 percent of the time, and when installing skills, components that extend an agent's capabilities, it reached up to 100 percent.

The researchers also showed that the hallucinations are largely transferable across different base models and different applications. This means a malicious resource registered once can work against multiple tools simultaneously, without needing to be tailored to a specific product.

From hallucination to botnet

The paper's authors warn that the technique could be used to build what they call an agentic botnet, a network of hijacked AI assistants used for DDoS attacks, cryptocurrency mining, malware distribution and ransomware campaigns.

An agentic botnet does not rely on default or weak passwords and requires no lateral movement. Prompt injections also go unmonitored by firewalls, and the bot can be installed on any device regardless of operating system. - authors of the study from Tel Aviv University and the Technion

This sets the threat apart from classic malware-based botnets. The infection leaves no typical traces in network traffic, and its carrier is the language model's own operating logic rather than a software flaw.

What developers can do

The team stresses that the problem stems from a fundamental property of today's large language models, not a bug in any single product. Fully eliminating the risk requires changes on the part of model providers and agent developers, including better verification of sources before they are fetched and tighter limits on agent autonomy when executing unfamiliar commands.

For developers using assistants like Copilot or Cursor, this means treating suggested package and repository names with the same caution as links received by email, especially when working on code headed for production.

Sources: Cyber Press (cyberpress.org), Decrypt (decrypt.co), Tom's Hardware (tomshardware.com)

Share: