Researchers from Tel Aviv University, Technion, and Intuit have detailed a new attack technique dubbed ‘HalluSquatting’ that turns AI assistants’ tendency to hallucinate into a scalable infection vector.
The cybersecurity community has identified several ways to hack or hijack AI tools through prompt injection delivered via channels such as emails, logs, comments, and messaging notifications.
These promptware attacks leverage the fact that the attacker has a direct channel to the targeted user’s LLM application.
HalluSquatting, on the other hand, has been described as a form of untargeted promptware that relies on a technique named adversarial hallucination squatting, in which threat actors can exploit AI applications at scale without a direct channel.
In a HalluSquatting attack, the attacker pre-registers the fake repository or package names that LLMs commonly invent when asked to fetch popular, trending resources.
The research team says hallucination rates in their tests reached as high as 85% for repo-cloning prompts and 100% for skill installations, and that the same hallucinated names tend to recur across different foundation models, making the technique broadly transferable.
Once the hallucinated repositories and packages are registered, the attacker can plant malicious instructions inside them.
When an unsuspecting user asks an AI tool like Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, or OpenClaw to clone a repository or install a skill, the assistant may hallucinate the squatted name, pull it down, and execute the attacker’s commands via its built-in terminal.
Those commands can direct the AI to run additional tools or code, potentially deploying various types of malware or hacking tools.
The HalluSquatting research has focused on using the technique to create agentic botnets whose size depends on how often AI tools hallucinate the attacker’s squatted resource.
Traditional botnets rely on vulnerabilities, weak security practices, and lateral movement. In contrast, agentic botnets spread via prompt injections that bypass traditional firewalls and can take root on virtually any device, resulting in a far more heterogeneous population of compromised hosts than botnets such as Mirai.
Affected vendors were notified before the publication of the HalluSquatting research, and the researchers withheld exploit details they believe could be directly reused by attackers.
Related: AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique
Related: Google Dialogflow CX Bug Allowed Attackers to Hijack AI Conversations
Related: Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection
