HalluSquatting Attack Poisons AI Coding Assistants to Install Botnet Malware
Key Takeaways A novel attack, “HalluSquatting,” exploits AI coding assistants’ tendency to hallucinate resource names. Attackers register these hallucinated names with malicious...
Key Takeaways
- A novel attack, “HalluSquatting,” exploits AI coding assistants’ tendency to hallucinate resource names.
- Attackers register these hallucinated names with malicious content, tricking AI agents into installing malware.
- The technique can lead to remote code execution and botnet formation, affecting developer systems.
- Hallucination rates were observed as high as 100% in some scenarios, and findings are transferable across different LLM models.
- Researchers have responsibly disclosed the findings to affected vendors, but robust validation mechanisms are urgently needed.
A sophisticated new attack vector, dubbed “HalluSquatting,” is raising alarms in the cybersecurity community. This technique leverages the inherent tendency of AI coding assistants to generate incorrect or “hallucinated” resource identifiers, effectively manipulating them into installing botnet malware on developer systems.
Table Of Content
The groundbreaking research, led by Aya Spira, Stav Cohen, Elad Feldman, Ron Bitton, Avishai Wool, and Ben Nassi from Tel Aviv University, Technion, and Intuit, uncovers a critical vulnerability in agentic large language model (LLM) applications. Tools such as GitHub Copilot, Cursor, and similar AI-powered coding assistants increasingly rely on external integrations like code repositories and plugins, thereby expanding their potential attack surface.
Unlike conventional prompt injection methods that necessitate direct communication, HalluSquatting operates without any direct interaction with the target system. Instead, it exploits a known characteristic of LLMs: their propensity to hallucinate or invent non-existent resource identifiers when responding to user requests.
HalluSquatting Attack Poisons AI Coding Assistants
The HalluSquatting attack unfolds in a calculated manner. Threat actors first meticulously analyze popular repositories, tools, or skills frequently referenced by developers. They then systematically probe LLM systems to identify names that these models are likely to hallucinate when prompted to retrieve or install such resources.
Once these potential hallucinated names are identified, attackers preemptively register them. They then embed malicious instructions within these fake resources. Consequently, when a developer later instructs an AI assistant to perform a task, such as cloning a repository or installing a package, the LLM may inadvertently suggest or retrieve the attacker-controlled resource instead of the legitimate one.

The AI agent, unaware of the deception, proceeds to fetch this malicious resource, thereby injecting adversarial instructions into its operational flow. This process culminates in what researchers term “promptware,” where the compromised context compels the AI system to execute commands defined by the attacker.
The ramifications of such an attack are severe. In experimental scenarios, the technique enabled remote code and tool execution across various platforms, effectively allowing attackers to deploy malware onto user systems. The researchers further demonstrated the scalability of this method, illustrating its potential to establish a botnet where compromised devices could be remotely controlled post-infection.
A particularly alarming finding was the high rate of hallucination observed across different AI systems. The study recorded hallucination rates as high as 85 percent in tasks involving repository cloning and a staggering 100 percent in certain skill installation scenarios. Moreover, these hallucinations proved transferable across diverse LLM models and applications, significantly broadening the potential reach of the attack.
The researchers underscored that HalluSquatting fundamentally alters the economics of supply chain attacks. Historically, attackers faced the challenge of either compromising highly popular resources, a difficult feat, or targeting obscure ones with limited impact. By focusing on hallucinated identifiers, attackers can strategically position their malicious resources where AI systems are most likely to search, drastically increasing the probability of a successful compromise. Despite the gravity of their findings, the research team adhered to responsible disclosure protocols.
Researchers notified affected vendors, foundation model providers, and platform maintainers prior to public disclosure. To mitigate the risk of misuse, sensitive implementation details were withheld, and technical safeguards were employed throughout their experiments.
This study highlights an urgent imperative for more robust validation mechanisms within AI-driven development tools. As agentic AI systems continue to automate coding and operational tasks, safeguarding the integrity of external resources is paramount. Without adequate protective measures, these powerful tools risk becoming a widespread vector for malware distribution and the formation of sophisticated botnets.
What You Should Do
- Implement strict validation for all external resources referenced or installed by AI coding assistants.
- Prioritize the use of verified and well-known repositories and packages, avoiding reliance on AI-suggested or hallucinated names.
- Regularly audit the dependencies and external integrations used by your AI development tools.
- Educate developers on the risks of AI hallucinations and the importance of verifying resource authenticity.
- Stay informed about updates and patches from AI tool vendors regarding supply chain security and hallucination mitigation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.