Coding Agents5 min read

HalluSquatting: How AI hallucinations let attackers build botnets

Researchers show HalluSquatting can trick coding assistants such as GitHub Copilot and Cursor into fetching attacker-controlled repos that.

The Brieftide

TL;DR

  • 01Researchers show HalluSquatting can trick coding assistants such as GitHub Copilot and Cursor into fetching attacker-controlled repos that.
  • 02HalluSquatting can assemble massive botnets and infect devices at scale by tricking coding assistants into fetching attacker-controlled repositories and skills, researchers showed Wednesday.
  • 03The team — Aya Spira, Elad Feldman, Avishai Wool, and Ben Nassi of Tel Aviv University, with Stav Cohen of Technion and Ron Bitton of Intuit — published their paper describing the attack.

HalluSquatting can assemble massive botnets and infect devices at scale by tricking coding assistants into fetching attacker-controlled repositories and skills, researchers showed Wednesday. The team — Aya Spira, Elad Feldman, Avishai Wool, and Ben Nassi of Tel Aviv University, with Stav Cohen of Technion and Ron Bitton of Intuit — published their paper describing the attack.

What is HalluSquatting and how does it work?

HalluSquatting, short for adversarial hallucination squatting, exploits an LLMs tendency to hallucinate resource identifiers and then registers those predictable, hallucinated names so agents will pull attacker-controlled code. In practice attackers identify the owner/repo or skill slugs an LLM is likely to invent, register those names on registries or repositories, seed them with instructions or code to install reverse shells or other payloads, and wait for agentic applications to retrieve and execute them.

The paper explains the attack is pull-based: unlike push prompt injections that target individuals, HalluSquatting relies on agents actively resolving repository and skill names during normal workflows and then running code via integrated shells or terminals.

Which models and tools are affected?

Multiple major foundational LLMs and widely used coding assistants are vulnerable, the researchers found: Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5, and Opus-4.5 all exhibit predictable hallucination patterns the attack exploits. The study tested agents and assistants including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw and found they routinely pull code and other resources from repositories and registries.

The researchers measured high error rates when resolving locations: an LLM can hallucinate a repository location up to 85 percent of the time, and when cloning a trending ‘‘skill’’ hallucinations can occur 100 percent of the time. The paper also contrasts historical and recent material: repositories published before 2019 had a mean hallucination rate of just 0.9 percent, while repositories published in 2025 showed a mean hallucination rate of 92.4 percent.

Those patterns include a common self-referential hallucination where models produce repo-name/repo-name slugs that treat the repository name as the owner; those predictable slugs are trivially discoverable and, if registrable, can be squatted by attackers.

Why it matters

HalluSquatting converts a long-standing LLM weakness into a scalable attack path because it does not require an attacker to target individual users. The researchers note that by embedding instructions to install reverse shells, attackers can "infect" many agentic applications and thereby gain control of distributed computational resources for large ransomware campaigns, cryptocurrency mining, or DDoS botnets. The paper cites examples of prior mining and botnet malware families such as Smominru, WannaMine, and Mirai as analogous outcomes if HalluSquatting is weaponized.

Security practitioners have already reacted. Michael Bargury, CTO of Zenity, wrote by email, "This is very cool research, and the threat is very real." Independent observers highlighted that the technique allows attackers to probe models for high-probability hallucinated candidates and then wait for agents to resolve and use them, increasing the likelihood of many agents falling for the same squatted resource.

What to watch

Monitor whether attackers begin registering high-probability hallucinated owner/repo slugs and seeding them with payloads, and whether incident reports emerge tying reverse-shell installations or large-scale device compromises to squatted repositories or skills. Also watch vendor responses: changes to how agentic applications resolve and verify third-party repositories and whether terminals and integrated shells require stronger confirmations before running fetched code will be the clearest mitigation signals.

Researchers: Aya Spira, Elad Feldman, Avishai Wool, Ben Nassi (Tel Aviv University), Stav Cohen (Technion), Ron Bitton (Intuit). A copy of their paper was published Wednesday. Specific measured rates in the paper include up to 85 percent hallucination for repository locations, 100 percent hallucination when cloning trending skills, 0.9 percent mean hallucination for pre-2019 repositories, and 92.4 percent mean hallucination for 2025 repositories.

Advertisement

Written by The Brieftide · Source: Ars Technica

The Brieftide Daily · 06:00

Briefs like this one, in your inbox every morning.

 

FreeOne email a dayEvery claim sourcedUnsubscribe in one click
Advertisement