Artificial Intelligence

‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery Mechanism

Researchers demonstrate adversarial hallucination squatting against popular AI assistants to achieve remote code execution.

AI hacking

Researchers from Tel Aviv University, Technion, and Intuit have detailed a new attack technique dubbed ‘HalluSquatting’ that turns AI assistants’ tendency to hallucinate into a scalable infection vector. 

The cybersecurity community has identified several ways to hack or hijack AI tools through prompt injection delivered via channels such as emails, logs, comments, and messaging notifications.

These promptware attacks leverage the fact that the attacker has a direct channel to the targeted user’s LLM application. 

HalluSquatting, on the other hand, has been described as a form of untargeted promptware that relies on a technique named adversarial hallucination squatting, in which threat actors can exploit AI applications at scale without a direct channel.

In a HalluSquatting attack, the attacker pre-registers the fake repository or package names that LLMs commonly invent when asked to fetch popular, trending resources. 

The research team says hallucination rates in their tests reached as high as 85% for repo-cloning prompts and 100% for skill installations, and that the same hallucinated names tend to recur across different foundation models, making the technique broadly transferable. 

Advertisement. Scroll to continue reading.

Once the hallucinated repositories and packages are registered, the attacker can plant malicious instructions inside them. 

When an unsuspecting user asks an AI tool like Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, or OpenClaw to clone a repository or install a skill, the assistant may hallucinate the squatted name, pull it down, and execute the attacker’s commands via its built-in terminal.

Those commands can direct the AI to run additional tools or code, potentially deploying various types of malware or hacking tools.

The HalluSquatting research has focused on using the technique to create agentic botnets whose size depends on how often AI tools hallucinate the attacker’s squatted resource.

Traditional botnets rely on vulnerabilities, weak security practices, and lateral movement. In contrast, agentic botnets spread via prompt injections that bypass traditional firewalls and can take root on virtually any device, resulting in a far more heterogeneous population of compromised hosts than botnets such as Mirai.

Affected vendors were notified before the publication of the HalluSquatting research, and the researchers withheld exploit details they believe could be directly reused by attackers.

Related: AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique

Related: Google Dialogflow CX Bug Allowed Attackers to Hijack AI Conversations

Related: Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection

Related Content

Artificial Intelligence

Two announcements on July 7, 2026, demonstrate the government’s determination to improve the level of cybersecurity within the UK.

Artificial Intelligence

Wiz has disclosed the details of a new AI coding assistant attack method it has dubbed GhostApproval.

Artificial Intelligence

The "Rogue Agent" vulnerability could have enabled attackers to silently manipulate AI conversations, exfiltrate data, and compromise every Dialogflow CX agent within the same...

Artificial Intelligence

Researchers show how attackers can use a crafted public GitHub Issue to trick AI-powered workflows into exposing data from private repositories without authentication.

Artificial Intelligence

The audits are reportedly being spearheaded by CISA’s Attack Surface Evaluation team, a specialized unit tasked with conducting digital defense assessments and simulated hacking...

Artificial Intelligence

Attack demonstrates how LLM agents can combine known exploitation techniques with real-time reasoning to automate complex, multi-stage intrusions.

Artificial Intelligence

As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they...

Artificial Intelligence

From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version