Skip to content
AI Security Wire

Published

- 5 min read

By

HalluSquatting Turns AI Hallucinations Into Botnet Malware

img of HalluSquatting Turns AI Hallucinations Into Botnet Malware

AI coding assistants hallucinate package names. That is not new. Security researchers have been documenting the risk since early 2025, and the term slopsquatting has stuck for what happens when attackers register those invented names before anyone else does.

New research from Ben Nassi’s group at Tel Aviv University closes the loop. The technique, which the authors call HalluSquatting, does not stop at a malicious package sitting in wait. It adds a second layer: hidden prompt injection instructions inside the fake package that hijack the AI agent, turn it against the user, and direct it to install botnet malware. The paper is available at sites.google.com/view/agentic-botnets/home. The Hacker News covered the research this week.

The Two-Step Chain

The attack chains two weaknesses that AI security researchers have been tracking separately for the past year.

The first is hallucination. When asked to fetch a resource that is not in its training data, an AI assistant will sometimes invent a plausible-sounding name and act as if it is real. That consistency matters: in the researchers’ tests, different phrasings and different models tended to land on the same wrong name. Up to 85 percent of repository requests and 100 percent of skill installs reached for the same hallucinated name, making the attack predictable enough to be operational.

The second is indirect prompt injection. Text fetched from an external source can carry hidden instructions that override the user’s original intent. Placed inside the fake repository’s README or metadata, those instructions hijack the agent. Instead of stopping at an error, the agent reads the attacker’s commands as if they came from the user.

The key ingredient is the agent’s built-in terminal access. Most coding assistants can run shell commands as part of their normal workflow. Once the injected instructions take over, installing a bot is just another command the agent can execute. It does not require any additional vulnerability. The agent does exactly what it was told, by the wrong party.

What the Researchers Built and Tested

The team, led by Aya Spira with Stav Cohen at Technion and Ron Bitton at Intuit, chose trending repositories as targets, because a resource that isn’t yet in an AI’s training data is exactly where hallucination kicks in. They queried AI assistants repeatedly to find which fake names came up most reliably, then registered those names on GitHub and inside plugin stores, embedding their adversarial payload inside.

Test targets included Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, and the OpenClaw family of assistants. All were tricked into running attacker-controlled code. The payloads in the tests were harmless, but the path they demonstrated is the same one live malware would take.

The research team held back the precise steps needed to replicate the attack and notified affected vendors and marketplace operators before going public. No CVE was assigned because the researchers frame this as a structural weakness rather than a bug in any single product.

Not One Vulnerability, a System Property

That framing is worth sitting with. There is no patch that closes this. Slopsquatting was already documented: in January 2026, Charlie Eriksen at Aikido Security found that AI-generated code had spread a hallucinated npm package name, react-codeshift, to 237 repositories, with agents still trying to install it daily. Eriksen registered the name himself before any attacker could.

Unit 42 at Palo Alto Networks extended the observation to domains: roughly 250,000 hallucinated domains sitting unregistered and available to anyone willing to set up a server. (AI Security Wire covered that research here.)

HalluSquatting is what happens when both observations are combined and driven to their conclusion. Names that AIs reliably invent, resources that AIs have permission to fetch and run, no human in the loop to check whether the name is real.

Nassi’s group has published in this space before. Their prior work includes a self-replicating AI email worm and a calendar invite designed to hijack Google’s Gemini. The pattern across their research is the same: capabilities that make AI agents useful, file access, command execution, external fetches, are the ones that make successful attacks consequential.

The Auto-Run Risk

The researchers call out two specific configurations that make the attack most dangerous. Claude Code’s skip-permissions flag and Gemini CLI’s yolo mode both let agents execute fetched resources with no human review step. Those modes are designed for convenience in trusted environments, but in the context of HalluSquatting, they eliminate the one check that would let a user see the wrong name before the agent acts on it.

Some tools now include safety layers that inspect what an agent is about to do before it runs. The researchers acknowledge these reduce risk. They don’t remove it.

The paper’s conclusion is blunt: “Attacks always get better; they never get worse.” The technique the team describes is a lower bound on what’s achievable with the same pieces.

Mitigations

For users: verify that any repository or package name an AI assistant suggests resolves to the expected real source before the agent fetches it. Treat AI-supplied names as guesses. Don’t run AI agents in skip-permissions or auto-run modes on anything they fetched from the network.

For platform operators and AI tool vendors: the most reliable fix is training the AI planner to search and verify before fetching, grounding it in what actually exists before it commits to a name. Pre-registering the hallucinated names models most commonly invent, the same approach used against typosquatting, is a parallel defence.

For security teams: assess whether AI coding tools in your environment have auto-run modes enabled. If they do, treat those configurations as elevated risk profiles requiring the same access controls as any other code execution environment.

References

Frequently Asked Questions

What is HalluSquatting and how does it differ from slopsquatting?
HalluSquatting is an attack technique published by researchers at Tel Aviv University that extends slopsquatting into a full attack chain. Slopsquatting covers the risk that AI models invent plausible-sounding package names that don't exist, which attackers can register with malicious code. HalluSquatting adds a second step: the fake package also contains hidden prompt injection instructions that hijack the AI agent and direct it to run attacker-supplied commands, including installing botnet malware. The result is a path from a single hallucinated name to full bot installation, with no user interaction required beyond the original prompt.
Which AI coding assistants are affected by HalluSquatting?
The researchers tested the technique against Cursor, Windsurf, GitHub Copilot, Cline, Google's Gemini CLI, and the OpenClaw family of assistants. All were successfully tricked into running attacker code in their experiments. The authors note that the hallucination consistency is the key variable: in their tests, AI assistants reached for the same wrong repository name in up to 85 percent of cases for repository requests and in 100 percent of cases for skill installs, making the attack predictable enough to be practical at scale.
What can users and security teams do to reduce exposure?
The single most effective control is to verify that any repository or package name an AI assistant suggests resolves to the real, expected source before the agent fetches it. Treat AI-supplied names as guesses, not facts. Avoid auto-run or skip-permissions modes that let agents execute fetched resources with no human review. Claude Code's skip-permissions flag and Gemini CLI's yolo mode are the specific configurations the researchers flag as risk amplifiers. At the platform level, vendors should train AI planners to search and verify before fetching, and pre-register the hallucinated names their models most commonly invent, the same approach used against typosquatting.