News
Researchers Demonstrate HalluSquatting Attack That Turns AI Coding Assistants Into a Botnet

Researchers from Tel Aviv University, Technion, and Intuit have described a new attack technique that exploits AI model hallucinations to smuggle malicious code through popular coding tools, including GitHub Copilot and Cursor.
Contents
A team of researchers from Tel Aviv University, Technion, and Intuit has described a new attack technique called HalluSquatting, which exploits AI coding assistants' tendency to hallucinate the names of repositories, packages, and plugins. Attackers register fake resources in advance under the names AI models most often invent on their own, then plant malicious instructions inside them that the model automatically downloads and executes.
How the Attack Works
The HalluSquatting mechanism differs from classic prompt injection, which requires a direct channel to reach the victim, such as a malicious email or message. Here, attackers first track popular repositories and the tasks developers typically assign to their AI assistants, then probe the model to determine the probability distribution of names it is most likely to invent for a given type of request. Based on that, they register a real, existing resource under that exact fictitious name and fill it with malicious code or instructions.
When a developer asks an AI assistant to clone a repository, install a package, or add a plugin, the model may independently 'find' and download the crafted resource instead of the real one, simply because it had previously hallucinated that exact name. As a result, malicious code ends up in the developer's environment without any interaction on their part beyond a standard command.
Scale of the Problem
The most alarming part is the numbers. In repository cloning tasks, the model hallucinated fake names in as many as 85 percent of cases, and for plugin or skill installation the rate reached 100 percent. The researchers also showed that hallucinations are largely transferable across different models and applications, meaning a single registered malicious resource can work effectively against many different tools at once.
It is precisely this transferability, and the lack of any need to directly target a specific victim, that leads the authors to compare HalluSquatting to classic botnet propagation rather than a single, personalized attack. One registered fake package can potentially infect the environments of thousands of developers using different AI assistants, who independently stumble onto the same hallucination.
Why It Matters for Developers
The researchers tested nine popular tools, including Cursor, Windsurf, GitHub Copilot, Cline, Google's Gemini CLI, and the OpenClaw family of assistants. In every case, they demonstrated remote code execution or remote tool invocation, which in practice allows malware to be installed on a developer's machine without their conscious consent.
The attack is especially dangerous because it targets a fundamental trait of today's large language models: the tendency to invent plausible-sounding but nonexistent names when the model isn't sure of the answer. As long as hallucination remains an inherent feature of LLMs, any system that automatically acts on such names remains vulnerable to this class of attack.
Context for Polish Teams
The news comes as Polish software companies increasingly rely on coding agents in their daily work, from GitHub Copilot to Cursor and Windsurf. HalluSquatting surfaces just days after the disclosure of GhostApproval, another vulnerability affecting AI editors, underscoring that the security of agentic coding tools has become one of the most active areas of AI cybersecurity research this year.
Development teams should treat AI assistants' suggestions for package and repository names with the same caution as links in suspicious emails, verifying the source before running any downloaded code. The researchers stress the need for stronger validation mechanisms built directly into AI-based developer tools, rather than leaving that responsibility solely to users.
Sources: New HalluSquatting Attack Allows Hackers to Poison AI Coding Assistants Into Installing Botnet Malware (cybersecuritynews.com), Agentic Botnets Attack Uses HalluSquatting to Hijack AI Coding Assistants (cyberpress.org), New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware (thehackernews.com)


