News
HalluSquatting: New Attack Turns AI Hallucinations Into a Botnet Distribution Channel

Israeli researchers have described HalluSquatting, a technique that exploits coding assistants' tendency to invent package and repository names in order to plant malicious code. The attack works against nine popular tools, including Cursor, GitHub Copilot, and Gemini CLI.
Contents
A team of researchers from Tel Aviv University, Technion, and Intuit has described a new attack technique targeting AI-based coding assistants. HalluSquatting exploits a well-known weakness of large language models, namely their tendency to invent package, repository, and plugin names, to fully automatically plant malicious code in developer tools that leads to botnet installations.
The attack mechanism differs from classic prompt injection, which requires a direct access channel to the target, such as a malicious email. HalluSquatting works without any direct interaction with the victim, relying solely on the predictability of language model errors.
How the Attack Works
Attackers first analyze popular repositories and tools that developers most often reference, then test specific AI assistants to determine which package, repository, or plugin names the models most frequently invent in response to typical prompts. Once such a fake name is identified, criminals register it in advance on platforms like GitHub or in plugin stores, planting malicious instructions or payloads there.
When a developer asks an AI assistant to perform a task, such as cloning a repository or installing a specific skill, the model may generate exactly that invented but previously hijacked name. The poisoned context then triggers what is known as promptware, enabling remote code execution and malware installation without the user's informed consent.
Scale and Effectiveness
The researchers recorded an exceptionally high and repeatable success rate, reaching 85 percent in repository cloning tasks and 100 percent in some plugin or skill installation scenarios. Notably, the same invented names appeared consistently across different language models and different applications using those models, meaning a single prepared trap can effectively hit many tools at once.
The researchers described this phenomenon as a fundamental shift in the economics of software supply chain attacks, since it allows criminals to position malicious resources exactly where AI systems are likely to look for them, instead of relying on users accidentally mistyping package names by hand.
Difference From Earlier Vulnerabilities
HalluSquatting is a separate technique from the recently described GhostApproval vulnerability, which allowed AI agents to write files outside their designated sandbox environment through errors in handling symbolic links. While GhostApproval attacked the boundaries of the security sandbox, HalluSquatting targets the very process of searching for and fetching external resources, exploiting models' natural tendency to make mistakes when generating names.
The list of affected tools includes both commercial products from major companies, such as Microsoft's GitHub Copilot, and independent assistants like Cursor, Windsurf, and Cline, showing that the problem affects an entire category of tools rather than a single product or vendor.
What Developers Should Do
Recommended countermeasures include forcing assistants to verify a resource's existence and trustworthiness before fetching it, validating package and repository names against trusted registries, disabling automatic, unattended command execution, and having platforms themselves preemptively reserve the names models most often hallucinate.
For Polish development teams increasingly relying on coding agents in their daily work, the study is a signal to treat AI suggestions about external dependencies with the same suspicion as links in unfamiliar emails. Automatically accepting package installations suggested by an assistant without manually verifying the source is becoming a real attack vector against company infrastructure.
Sources: New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware (thehackernews.com), New HalluSquatting Attack Allows Hackers to Poison AI Coding Assistants Into Installing Botnet Malware (cybersecuritynews.com), 'HalluSquatting' Turns AI Hallucinations Into Botnet Delivery Mechanism (securityweek.com)


