Security

HalluSquatting Turns AI Hallucinations Into Botnet Attacks

3 min read
Security analyst in front of monitors with network graphs, alerts and a world map showing botnet nodes. Image generated with GPT Image 2
Security analyst in front of monitors with network graphs, alerts and a world map showing botnet nodes.

TL;DR Too Long; Didn’t read

A research team from Israel has demonstrated HalluSquatting, an attack technique that exploits AI-invented package names to deliver malicious code. In tests, the method reached a hit rate of up to 100 percent when installing supposed AI skills. Five tested coding assistants automatically fetched malware as a result.

Key takeaways

  • Researchers pre-register the fantasy names that AI models predictably invent when queried.
  • For skill installations, invented names reach a hit rate of up to 100 percent in tests.
  • Five tested coding assistants automatically fetch malicious code through the flaw.
  • The technique works across models because hallucinations transfer between different AI systems.
  • Affected vendors have not yet announced a fix for the flaw.

A research team from Israel has demonstrated HalluSquatting, an attack technique that specifically exploits repository and package names invented by AI models to deliver malicious code. In tests, the method reached a hit rate of up to 100 percent when installing supposed AI skills. Five tested coding assistants automatically fetched malware as a result.

Attackers register predicted fantasy names

AI coding assistants regularly invent names that do not actually exist when asked about certain programming libraries or extensions – a well-known phenomenon called hallucination. Researchers Aya Spira, Stav Cohen, Elad Feldman, Ron Bitton, Avishai Wool, and Ben Nassi, from Tel Aviv University, the Technion, and the software company Intuit, describe in their paper how this behavior can be predicted and exploited. Attackers repeatedly query the same AI models about popular, currently in-demand repositories and thereby determine which fantasy names the systems reproducibly invent. They then register exactly these names on GitHub or in plugin directories and plant prepared prompts there. When a user later asks an AI for the actual, non-existent package, the model returns the same invented name, fetches the attackers’ prepared version, and executes the hidden commands. Because many assistants have terminal access, this can, according to the authors, directly lead to malicious code execution on the victim’s device.

Tests show high hit rates across several assistants

At the model level, the hit rate of invented names reached up to 85 percent for repository cloning and up to 100 percent for installing so-called skills, small extension modules for AI agents. Claude Opus 4.5 and other current models were among those tested. For repositories from 2025, the researchers recorded an average hallucination rate of 92.4 percent, compared with just 0.9 percent for projects predating 2019 – an indication that especially new, heavily discussed projects are affected. At the application level, the team tested the coding tools Cursor, Windsurf, OpenClaw, Google Gemini CLI, and GitHub Copilot. As Tom’s Hardware reports, the success rate for Cursor, Gemini CLI, and Copilot ranged between 20 and 35 percent, and between 80 and 100 percent for several OpenClaw variants. The researchers demonstrated the attack against several production AI applications with integrated terminal access, achieving both remote tool execution and full remote code execution on the test systems.

HalluSquatting builds on a related, already known problem: so-called slopsquatting, in which individual AI-invented package names are maliciously registered after the fact. One such case spread, as The Hacker News reported, to 237 code projects before it was discovered. In total, roughly 250,000 registered domains are said to be based on hallucinated names generated by AI systems – a figure that is not independently verified and points to the scale of the problem beyond individual tools. Unlike earlier variants of the so-called promptware attack, HalluSquatting requires no direct access channel to the AI system, such as a manipulated website. The predicted hallucination also works across models: a name invented by one model is highly likely to also appear in other AI systems, considerably widening the reach of a single registered fake package. As the most effective countermeasure, the researchers recommend instructing coding assistants to always run a regular web search before every installation and to independently confirm a package’s existence, rather than blindly trusting auto-generated suggestions.

It remains an open question whether vendors such as Cursor, GitHub, or Google will require their assistants to perform such verification by default before automatically fetching code or extensions. So far, the affected companies have not announced a fix, according to the authors, while the pool of popular, potentially imitable names keeps growing with every new trending repository.

Frequently asked questions

What exactly is HalluSquatting?

HalluSquatting is a technique in which attackers register the fantasy software package names that AI models predictably invent when queried, in order to spread malicious code through them.

Which AI coding assistants are affected?

In the researchers' tests, Cursor, Windsurf, OpenClaw, Google Gemini CLI, and GitHub Copilot proved vulnerable, though the success rate varied considerably by tool.

How does HalluSquatting differ from slopsquatting?

Slopsquatting exploits individual, randomly discovered fantasy names, while HalluSquatting systematically exploits the predictability of AI hallucinations to register many names in advance.

How can developers protect themselves?

The researchers recommend instructing AI assistants to run an independent web search before every installation and to manually verify package names instead of trusting auto-generated suggestions.

Have the affected companies responded yet?

According to the researchers, no public fix from the named vendors was available at the time of publication.


← Back to the blog