Security

HalluSquatting Attack Exploits AI Coding Tools to Build Botnets

Researchers demonstrate how attackers can weaponize LLM hallucinations to infect coding assistants at scale, a first for prompt injection attacks.

Omega Editorial· July 8, 2026· 3 min read

A new class of AI vulnerability

Security researchers at Tel Aviv University and Technion have disclosed a novel attack method that transforms a fundamental weakness in large language models into a scalable infection vector. The technique, dubbed HalluSquatting, exploits AI coding assistants' tendency to fabricate resource locations—and can compromise devices at unprecedented scale.

The attack works against nine widely-used AI development tools: Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw. All are vulnerable because they routinely fetch code from external repositories while operating with elevated system privileges.

How the attack works

HalluSquatting builds on a core LLM limitation: when asked to locate a resource not in their training data, models hallucinate plausible-sounding locations rather than admitting uncertainty. The researchers found that when developers instruct coding agents to clone trending repositories or install new "skills" (specialized capabilities for AI agents), the underlying LLMs hallucinate incorrect locations up to 85 percent of the time for repositories and 100 percent for skills.

Crucially, these hallucinations follow predictable patterns across all six major LLMs tested—Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5, and Opus-4.5. The most common pattern is "self-referential," where models construct repository slugs in the format repo-name/repo-name, treating the repository name as its own owner.

Attackers exploit this by identifying likely hallucinated names, registering them on platforms like GitHub, and uploading malicious repositories that mimic legitimate trending resources. Hidden within readme files or code are instructions directing the AI assistant to install reverse shells on the user's machine. Because these tools have command-line access, they readily comply.

The hallucination rate varies dramatically by resource age. LLMs correctly resolve repositories published before 2019 with just 0.9 percent error rates, but fabricate locations for 2025-published repositories 92.4 percent of the time.

Why it matters

HalluSquatting represents the first prompt injection attack capable of mass exploitation. Previous prompt injections required targeting individual victims through emails or documents—a "push" model that didn't scale. HalluSquatting operates as a "pull" attack where vulnerable AI tools actively seek out and execute malicious code, enabling attackers to compromise thousands of developers simultaneously without individual targeting.

This opens pathways to large-scale ransomware campaigns, massive botnets for distributed denial-of-service attacks, and coordinated cryptocurrency mining operations—all previously impossible with prompt injection techniques. The attack surface is particularly concerning because it targets the development tools used to build software, potentially introducing vulnerabilities into countless downstream applications.

Industry response

Michael Bargury, CTO of security firm Zenity, confirmed the threat's legitimacy, noting that "like typosquatting, it's a problem that's not going away." Independent researcher Johann Rehberger highlighted that the technique's real innovation lies in systematically identifying resource names models are most likely to confuse.

The vulnerability stems from LLMs' inability to distinguish between trusted instructions and untrusted external content—the same root cause behind all prompt injection attacks. Without architectural solutions to enforce this boundary, developers can only implement guardrails that mitigate rather than eliminate the risk.

The research underscores a broader tension in AI-assisted development: tools marketed for efficiency gains introduce new verification burdens. Developers must now manually confirm resource locations for each external dependency, potentially negating the time savings these assistants promise.

The findings were published by researchers Aya Spira, Elad Feldman, Avishai Wool, and Ben Nassi of Tel Aviv University, Stav Cohen of Technion, and Ron Bitton of Intuit. Details were first reported by Ars Technica.

#ai security#prompt injection#llm vulnerabilities#coding assistants#botnet#hallusquatting

This is an original analysis by the Omega editorial team. Source reporting: AI Watch.

Want systems like this working for your business?

Book a Call

More in Security

Security· 2 min read

China Flags Security Backdoor in Anthropic's Claude Code AI Tool

Beijing's cybersecurity agency warns the autonomous coding assistant sends user data to remote servers without consent, escalating U.S.-China AI tensions.

Via AI Watch · Jul 8, 2026
Security· 3 min read

AI Agent Security Flaw Lets Attackers Hide Commands in Tool Descriptions

Microsoft warns that the Model Context Protocol's design creates a trust boundary problem banks are deploying faster than they can secure.

Via AI Watch · Jul 7, 2026
Security· 3 min read

CISA Deploys Anthropic's Mythos AI to Scan Federal Software

The cyber defense agency is using the controversial AI model to hunt for vulnerabilities in government code repositories despite ongoing White House tensions.

Via AI Watch · Jul 7, 2026