New HalluSquatting Attack: Exploiting AI Hallucinations to Install Botnet Malware

4

New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware

Researchers have uncovered a cyberattack technique that exploits AI hallucinations to hijack coding assistants and silently install botnet malware — no passwords, no exploits, just a name an AI predictably invents.

Published July 8, 2026, by cybersecurity researchers at Tel Aviv University and Technion, the HalluSquatting attack targets a gap that millions of developers now use daily: AI coding assistants that fetch external resources and run commands with minimal human oversight. The research arrives as agentic AI tools become deeply embedded in software workflows, raising urgent questions about how much autonomy these systems should be granted. Understanding the risks and challenges of artificial intelligence in business has never been more pressing — and HalluSquatting illustrates precisely why.


How the HalluSquatting Attack Works

The attack chains two well-documented AI weaknesses into a single, repeatable exploit. The first is hallucination — an AI confidently inventing a resource name that does not exist. The second is indirect prompt injection — hiding malicious instructions inside content the AI fetches so it follows an attacker instead of the user.

The method unfolds in four steps:

  1. An attacker identifies a trending repository or plugin that many developers are actively asking their AI assistants to retrieve. Because the resource is new, it likely falls outside the model's training data — which is precisely when the model begins guessing at names.
  2. The attacker repeatedly queries an AI assistant for that resource and records whichever fake name the model invents most consistently.
  3. That name is registered on GitHub or a plugin marketplace with adversarial instructions buried inside it.
  4. From that point, the attacker simply waits.

When a real developer asks their assistant to fetch the popular resource, the assistant invents the same fake name — and pulls in the attacker's version. The hidden instructions fold seamlessly into the assistant's task queue. Because these assistants include a terminal among their built-in tools, "install a bot" becomes just another command the hijacked assistant can execute.

The Numbers Behind the Exploit

In experiments, the hallucinated mistake proved remarkably consistent. Across different phrasings and across models from multiple companies, assistants reached for the same wrong name in up to 85% of repository requests and 100% of plugin skill installs — the peak rates reported in the paper, with a full breakdown provided by the authors.

These figures are not edge cases. They reflect a structural pattern: when an AI model lacks training data for a specific resource, it does not fail gracefully. It invents a plausible-sounding answer and proceeds with confidence.

Which Tools Were Tested

The research team tested the technique against Cursor, Windsurf, GitHub Copilot, Cline, Google's Gemini CLI, and the OpenClaw family of assistants. All were successfully tricked into running attacker-supplied code. The payloads used in testing were harmless placeholders; the researchers note that a live malicious payload would travel the same path without friction.


Why This Represents a New Class of Botnet Threat

Traditional botnets demand substantial effort. They rely on weak credentials, network-worming exploits, or device-specific vulnerabilities — as seen with the Mirai botnet, which famously herded internet-connected cameras and routers into a massive distributed denial-of-service weapon. HalluSquatting requires none of that infrastructure.

There are no passwords to crack and no network exploits to deploy. The payload arrives as text the AI reads rather than a network packet a firewall scans, which means conventional perimeter defenses are effectively blind to it. The technique works across operating systems, making the potential botnet fleet far more diverse than traditional campaigns. To understand the broader landscape of threats this sits within, the full range of malware types and how they operate provides essential context for anyone assessing organisational risk.

"The AI is the delivery van here, not the cargo," the researchers note in framing the attack. The planted instructions trick the assistant into installing an ordinary bot — and once that bot is running, the machine joins a botnet like any other.

HalluSquatting builds on a rapid sequence of related findings that collectively signal a maturing threat category:

  • January 2026: Aikido Security researcher Charlie Eriksen found that an AI-invented npm package called react-codeshift had already spread into 237 code projects through AI-generated instructions, with agents still attempting to install it daily. Eriksen registered the name himself before any attacker could claim it.
  • Subsequently: Palo Alto Networks' Unit 42 identified roughly 250,000 hallucinated domains sitting unregistered and available for registration.
  • June 2026: Trail of Bits researchers slipped malicious skills past several plugin store scanners in under an hour, demonstrating that marketplace screening offers limited protection.

HalluSquatting is the version that completes the chain — reaching all the way from a fake name to executed code by hijacking the agent doing the fetching. Each prior discovery exposed one link; this research demonstrates the full exploit path end to end.

What Makes This Structurally Different

There is no single CVE to patch here. The vulnerability is not a product bug — it is a structural weakness in how AI agents trust names they were never actually given. This distinction matters enormously for security teams accustomed to patch-based remediation cycles. No vendor update will close this gap in isolation. The attack surface shifts with every new agentic tool deployed, every new repository queried, and every new plugin marketplace that opens. For a broader perspective on how artificial intelligence is reshaping the cybersecurity landscape — both as a defensive tool and as an attack vector — the implications of HalluSquatting extend well beyond any single platform.


What Developers and Security Teams Can Do Now

The attack depends entirely on one condition: an agent that fetches an outside resource and runs it without human review. Eliminate that condition and the attack stops.

Fix the Root Cause: Ground the Agent Before It Acts

The most effective mitigation is grounding the agent in reality before it acts. Requiring the assistant to perform a live search before fetching a resource — confirming the name actually exists — sharply reduces hallucination-driven mistakes. That fix belongs primarily to the developers building these tools, who can also train planning components to treat commands like clone, install, and fetch as triggers for verification rather than immediate execution.

Immediate Actions for Users and Security Teams

Users and security teams have more immediate options. By default, most agents prompt before executing a command. The real exposure comes from auto-run modes — such as Claude Code's skip-permissions flag and Gemini CLI's "yolo" mode — that disable that confirmation step entirely.

The first practical rule is straightforward: do not allow an agent to run unattended on anything it fetched from an external source.

Some tools now include safety layers that inspect agent activity before execution. Claude Code's auto mode and Gemini CLI's Conseca check both lower risk, though neither eliminates it. Developers should also manually verify that any repository or package name an AI provides resolves to the expected, legitimate source before allowing an agent to pull it in.

Platform-Level Responsibility

Platform operators carry their own responsibility. Preventing the reuse of well-known repository names under new accounts and pre-registering the fake names AI models are likely to hallucinate — mirroring defences already used against typosquatting — would close a significant portion of the attack surface. This is not a theoretical ask; the react-codeshift incident demonstrates that proactive registration works when someone acts quickly enough.

Organisational Policy Guidance

  • Developers should audit any AI-assisted workflow that fetches external packages or plugins and disable auto-run permissions until a verification step is added.
  • Security teams should add hallucinated package and repository names to threat-monitoring playbooks alongside traditional typosquatting indicators.
  • Organisations adopting agentic AI tools should establish explicit policies requiring human approval before any AI assistant installs or executes externally sourced code.

About the Research Team

The research team, led by Aya Spira and colleagues in Ben Nassi's group at Tel Aviv University, with Stav Cohen at Technion and Ron Bitton at Intuit, disclosed findings to affected vendors before publication and withheld the precise steps needed to replicate the attack. Nassi's group has previously demonstrated a self-spreading AI email worm and a calendar invite that hijacked Google's Gemini — establishing a consistent track record of exposing emergent agentic vulnerabilities before they reach widespread exploitation.

Their closing note carries weight for anyone building or using agentic AI systems: "Attacks always get better; they never get worse." No current generation of safety tooling should be treated as a permanent answer. The threat will iterate. The question is whether the defences iterate faster. For further reading on the technical foundations of this research, the full paper is available via arXiv.

You might also like