ICP·DevICP·Dev
Back to articles
AI AgentsJuly 12, 20263 min read

HalluSquatting: How Hackers Exploit AI Coding Hallucinations to Build Agentic Botnets

A groundbreaking attack vector dubbed "HalluSquatting" turns AI coding assistants' tendency to hallucinate packages into a remote code execution exploit. By pre-registering predicted fake repositories, attackers can hijack autonomous systems like Cursor, Gemini CLI, and GitHub Copilot to assemble global botnets.

Key takeaways

  • A groundbreaking attack vector dubbed "HalluSquatting" turns AI coding assistants' tendency to hallucinate packages into a remote code execution exploit
  • By pre-registering predicted fake repositories, attackers can hijack autonomous systems like Cursor, Gemini CLI, and GitHub Copilot to assemble global botnets
Share
HalluSquatting: How Hackers Exploit AI Coding Hallucinations to Build Agentic Botnets

HalluSquatting: How Hackers Exploit AI Coding Hallucinations to Build Agentic Botnets

For years, cybersecurity researchers have warned about the dangers of giving large language models (LLMs) direct execution privileges over local file systems and terminals. Now, a groundbreaking attack method called HalluSquatting (short for adversarial hallucination squatting) has turned those theoretical warnings into an active, highly scalable security crisis.

Unveiled by researchers from Tel Aviv University, Technion, and Intuit, this novel attack vector exploits a fundamental flaw in the cognitive limits of LLMs. By weaponizing the predictable ways in which AI models hallucinate package, repository, and plugin names, attackers can trick autonomous coding agents into pulling down malware—effectively assembling massive, heterogeneous botnets with zero direct system access.


The Anatomy of a HalluSquatting Attack

Unlike traditional "push-based" prompt injection attacks that require direct interactions with the target (such as sending a malicious email or messaging notification), HalluSquatting is entirely pull-based and untargeted. It hinges on the mathematical predictability of LLM errors.

When a developer asks an AI assistant to fetch a recently released, trending, or obscure code library, the model often struggles because the resource is missing from its offline training data. Rather than admitting ignorance, the AI will invent a plausible-sounding repository or package identifier.

The attack unfolds in four elegant, alarming stages:

  1. Reconnaissance & Probing: The attacker identifies trending software tools, repositories, or AI developer "skills". They query various LLMs repeatedly to observe and record the exact non-existent names the AI hallucinates when trying to fetch these resources.
  2. Claiming the Hallucination: The attacker registers these predicted fake names on public platforms like GitHub or package registries (npm, PyPI).
  3. Seeding the Payload: The attacker uploads the malicious repository, embedding indirect adversarial instructions (prompt injections) or raw payload scripts within it.
  4. Triggering the Hijack: An unsuspecting developer asks their local AI coding agent (like Cursor, Windsurf, GitHub Copilot, Gemini CLI, or Cline) to install or clone the trending tool. The AI hallucinates the squatted name, pulls down the malicious repository, reads the embedded instructions, and silently runs them via its local terminal.

A detailed 2D technical diagram showing the flow o...


Rising Threat: The "Agentic Botnet"

The ultimate goal of a HalluSquatting campaign is the creation of an agentic botnet. Once the hijacked assistant runs the attacker's code, it typically spawns a reverse shell, granting remote command-line control to the threat actor.

Because modern developer agents operate in the local command line with elevated user privileges, attackers can easily install persistent malware, siphon passwords, exfiltrate sensitive IP, or enroll the machine into a distributed denial-of-service (DDoS) botnet.

The scale of this vulnerability is staggering. Researchers reported that AI assistants hallucinated non-existent repositories up to 85% of the time when dealing with new resources, and that rate jumped to a shocking 100% for newer agentic skill installations. Furthermore, because different foundation models (such as GPT, Claude, and Gemini) share similar tokenization and naming heuristics, they often hallucinate the exact same fake names—allowing a single registered repository to trap users across multiple different platforms.


Who is Affected?

The researchers tested a variety of popular terminal-facing developer applications. In autonomous or semi-autonomous modes where human review is bypassed:

  • OpenClaw (and variants ZeroClaw/NanoClaw): Exhibited near-perfect susceptibility with success rates reaching 80% to 100%.
  • Cursor, Windsurf, Gemini CLI, and GitHub Copilot: While these tools maintain more developer-in-the-loop context, they still fell victim to the exploit 20% to 35% of the time.

How to Protect Your Development Environments

Until IDE and CLI developers roll out native safeguards, security teams must proactively defend their environments:

  • Turn Off "Auto-Approve" / Autonomous Modes: Never allow an AI agent to execute terminal commands (especially git clone, npm install, or tool executions) without manual, human approval.
  • Implement Registry Allowlisting: Configure developer environments to only pull from trusted internal mirrors or verified organization namespaces on public registries.
  • Search Before Fetching: Future AI iterations must be designed to perform live web or database searches to "ground" names before attempting automated retrievals. If the repository doesn't exist under the requested name, the agent should fail safely rather than guessing.

Tags

#AI Agents#Cybersecurity#GitHub Copilot#Cursor#Gemini CLI#Prompt Injection

What to read next

Enjoyed this? Get the next one

Subscribe to the newsletter and the next playbook lands in your inbox — no spam, unsubscribe anytime.