Thursday, July 9, 2026

News

HalluSquatting Attack Turns AI Hallucinations Into Coding-Agent Botnets

CodingPatryk Raba

Researchers from Tel Aviv University, Technion, and Intuit have shown how registering AI-hallucinated repository names can be used to hijack nine popular coding tools, including Cursor and GitHub Copilot.

Contents
  1. How the trap works
  2. The scale of the hallucinations
  3. Nine tools in the crosshairs
  4. A botnet without passwords or worms
  5. What it means for developers

Researchers from Tel Aviv University, Technion, and Intuit have described a new attack technique targeting AI coding agents, called HalluSquatting. It exploits a phenomenon long dismissed as a harmless quirk of language models, hallucinating nonexistent repository and package names, and turns it into a ready-made weapon for building a botnet.

The attack mechanism is surprisingly simple and requires no break-in into the victim's system at all. The attacker first checks which repository or package names a model most often invents in response to typical prompts, such as clone popular project X or install skill Y. They then register those invented names as real accounts on GitHub or in package registries and plant a malicious payload inside them.

How the trap works

When a developer asks an AI agent to pull a trending repository, the model is highly likely to point not to the real address but to the invented one already hijacked by the attacker. The agent, with terminal access, downloads and runs the code itself, treating it as a routine, trusted task. That's how the malicious payload lands on the developer's machine without any password, phishing, or network exploit.

The researchers call it the first pull-type attack, one initiated by the victim themselves, that also scales to a large number of users. Because the attack content arrives as ordinary text read by the model rather than as a classic network attack, traditional firewalls and detection systems don't see it.

The scale of the hallucinations

The team measured how often models invent nonexistent resources depending on their age and popularity. For old, well-known repositories from before 2019, the error occurred in less than one percent of cases. For newer, high-profile projects from 2025, the hallucination rate jumped to over 92 percent, and when asked about popular, trending skills it reached 100 percent.

That flips the intuition many developers have, that a model errs less often on well-known, high-profile projects. In practice it's the opposite, the newer and more talked-about the topic, the greater the chance the agent will supply an invented address, because the training data doesn't yet contain enough real references.

The scalability of this attack lets an attacker compromise a large number of users with minimal effort, all it takes is targeting popular resources - Aya Spira, Tel Aviv University

Nine tools in the crosshairs

The list of affected products includes popular AI-enabled editors such as Cursor and Windsurf, command-line tools such as Cursor CLI and Gemini CLI, and cloud-integrated assistants such as GitHub Copilot and Cline. The researchers also tested lesser-known agents, OpenClaw, ZeroClaw, and NanoClaw, getting similar results regardless of the underlying model provider.

The phenomenon proved consistent across different foundation models and different prompt phrasings, meaning it can't simply be sidestepped by switching AI providers. Since most of the tested tools give the agent terminal access as one of its core capabilities, each of them could in theory be used to remotely execute code on the victim's computer.

A botnet without passwords or worms

The authors stress that machines infected this way don't need to share an operating system or connect through typical network vulnerabilities, which sets this botnet apart from classic ones built on weak passwords or lateral movement across a network. Developer computers gathered this way could be used for cryptocurrency mining, DDoS attacks, or coordinated ransomware campaigns.

The team deliberately used harmless payloads in its tests instead of real malware and redacted some technical details so the publication wouldn't become a ready-made instruction manual for criminals. The findings went first to tool makers, model providers, and package registry administrators before the study saw the light of day.

What it means for developers

For Polish development teams, who increasingly rely on coding agents in their daily work, the study is another signal that automatic command execution by AI needs an extra layer of control. The measures the researchers recommend include requiring package publisher verification, sticking to predefined, pinned lists of trusted resources, and forcing human confirmation before an agent installs anything.

The publication fits into a growing body of research showing that agentic coding tools have become a new attack surface, alongside previously documented flaws in command-approval mechanisms and fake bug reports used to hijack agents. Unlike those cases, HalluSquatting requires no social-engineering interaction with the victim, it's enough for a developer to ask the agent to perform a routine task.

Sources: The Hacker News (thehackernews.com), AI Chat Daily (aichatdaily.com), Agentic Botnets research page (sites.google.com/view/agentic-botnets)

Share: