Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Foxit PDF Reader & Editor Patches 20 Critical RCE Flaws
July 9, 2026
AssuranceAmerica Data Breach Exposes 6.9 Million Driver’s Licenses and Personal Data
July 9, 2026
GitLab Patches 8 Critical Vulnerabilities in Community and Enterprise Editions
July 9, 2026
Home/CyberSecurity News/HalluSquatting Attack Poisons AI Coding Assistants to Install Botnet Malware
CyberSecurity News

HalluSquatting Attack Poisons AI Coding Assistants to Install Botnet Malware

Key Takeaways A novel attack, “HalluSquatting,” exploits AI coding assistants’ tendency to hallucinate resource names. Attackers register these hallucinated names with malicious...

David kimber
David kimber
July 9, 2026 4 Min Read
2 0

Key Takeaways

  • A novel attack, “HalluSquatting,” exploits AI coding assistants’ tendency to hallucinate resource names.
  • Attackers register these hallucinated names with malicious content, tricking AI agents into installing malware.
  • The technique can lead to remote code execution and botnet formation, affecting developer systems.
  • Hallucination rates were observed as high as 100% in some scenarios, and findings are transferable across different LLM models.
  • Researchers have responsibly disclosed the findings to affected vendors, but robust validation mechanisms are urgently needed.

A sophisticated new attack vector, dubbed “HalluSquatting,” is raising alarms in the cybersecurity community. This technique leverages the inherent tendency of AI coding assistants to generate incorrect or “hallucinated” resource identifiers, effectively manipulating them into installing botnet malware on developer systems.

Table Of Content

  • Key Takeaways
  • HalluSquatting Attack Poisons AI Coding Assistants
  • What You Should Do

The groundbreaking research, led by Aya Spira, Stav Cohen, Elad Feldman, Ron Bitton, Avishai Wool, and Ben Nassi from Tel Aviv University, Technion, and Intuit, uncovers a critical vulnerability in agentic large language model (LLM) applications. Tools such as GitHub Copilot, Cursor, and similar AI-powered coding assistants increasingly rely on external integrations like code repositories and plugins, thereby expanding their potential attack surface.

Unlike conventional prompt injection methods that necessitate direct communication, HalluSquatting operates without any direct interaction with the target system. Instead, it exploits a known characteristic of LLMs: their propensity to hallucinate or invent non-existent resource identifiers when responding to user requests.

HalluSquatting Attack Poisons AI Coding Assistants

The HalluSquatting attack unfolds in a calculated manner. Threat actors first meticulously analyze popular repositories, tools, or skills frequently referenced by developers. They then systematically probe LLM systems to identify names that these models are likely to hallucinate when prompted to retrieve or install such resources.

Once these potential hallucinated names are identified, attackers preemptively register them. They then embed malicious instructions within these fake resources. Consequently, when a developer later instructs an AI assistant to perform a task, such as cloning a repository or installing a package, the LLM may inadvertently suggest or retrieve the attacker-controlled resource instead of the legitimate one.

Attack Model ( source : Google)
Attack Model (source: Tel Aviv University Research)

The AI agent, unaware of the deception, proceeds to fetch this malicious resource, thereby injecting adversarial instructions into its operational flow. This process culminates in what researchers term “promptware,” where the compromised context compels the AI system to execute commands defined by the attacker.

The ramifications of such an attack are severe. In experimental scenarios, the technique enabled remote code and tool execution across various platforms, effectively allowing attackers to deploy malware onto user systems. The researchers further demonstrated the scalability of this method, illustrating its potential to establish a botnet where compromised devices could be remotely controlled post-infection.

A particularly alarming finding was the high rate of hallucination observed across different AI systems. The study recorded hallucination rates as high as 85 percent in tasks involving repository cloning and a staggering 100 percent in certain skill installation scenarios. Moreover, these hallucinations proved transferable across diverse LLM models and applications, significantly broadening the potential reach of the attack.

The researchers underscored that HalluSquatting fundamentally alters the economics of supply chain attacks. Historically, attackers faced the challenge of either compromising highly popular resources, a difficult feat, or targeting obscure ones with limited impact. By focusing on hallucinated identifiers, attackers can strategically position their malicious resources where AI systems are most likely to search, drastically increasing the probability of a successful compromise. Despite the gravity of their findings, the research team adhered to responsible disclosure protocols.

Researchers notified affected vendors, foundation model providers, and platform maintainers prior to public disclosure. To mitigate the risk of misuse, sensitive implementation details were withheld, and technical safeguards were employed throughout their experiments.

This study highlights an urgent imperative for more robust validation mechanisms within AI-driven development tools. As agentic AI systems continue to automate coding and operational tasks, safeguarding the integrity of external resources is paramount. Without adequate protective measures, these powerful tools risk becoming a widespread vector for malware distribution and the formation of sophisticated botnets.

What You Should Do

  • Implement strict validation for all external resources referenced or installed by AI coding assistants.
  • Prioritize the use of verified and well-known repositories and packages, avoiding reliance on AI-suggested or hallucinated names.
  • Regularly audit the dependencies and external integrations used by your AI development tools.
  • Educate developers on the risks of AI hallucinations and the importance of verifying resource authenticity.
  • Stay informed about updates and patches from AI tool vendors regarding supply chain security and hallucination mitigation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityExploitMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

QR Code Phishing Attacks Steal Credentials and Deliver Malware

Next Post

Meta’s Muse AI Tool Exposes Instagram User Photos to the Public

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
QR Code Phishing Attacks Steal Credentials and Deliver Malware
July 9, 2026
GitHub Copilot Blocks Harmful Prompts in Chat, Writes Them in Code
July 9, 2026
AI Agents Vulnerable to Remote Code Execution Attacks
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us