HalluSquatting Turns AI Assistants Into Silent Botnet Factories
Researchers discover a critical vulnerability where AI coding agents are tricked into executing malicious code via hallucinations.
In the evolving landscape of artificial intelligence security, the limitations of large language models have moved beyond simple prompt errors into a systemic architectural flaw. When these systems encounter gaps in their knowledge, their inability to admit uncertainty creates a dangerous opening for attackers to weaponize the very tools designed to boost productivity.
The Emergence of HalluSquatting
A new class of vulnerability, dubbed HalluSquatting, allows adversaries to construct massive botnets by exploiting the tendency of LLMs to hallucinate resource identifiers. Unlike traditional prompt injections that target users one by one, this technique is a pull-based attack that scales indiscriminately across automated agents, including Cursor, Gemini CLI, and GitHub Copilot.
“The scalable property of the attack enables the attacker to compromise a large number of users with minimal effort by targeting popular resources, thereby maximizing the likelihood that the squatted resource will be retrieved,” the researchers wrote in a paper published Wednesday. “By exploiting integrated shells and terminals of agentic applications to run scripts and code, attackers can effectively ‘infect’ many independent agentic applications by embedding instructions to install reverse shells in the resources the attackers register.”
Predictable Failures in AI Resolution
The core issue lies in how AI models resolve repository or skill names. Because LLMs lack a grounded reality for new or trending resources, they frequently misinterpret user instructions and attempt to navigate to non-existent or attacker-controlled locations. This failure is remarkably consistent across six major foundational models, including GPT-5.1 and Opus-4.5, allowing attackers to pre-calculate which identifiers the models will hallucinate most frequently.
- LLMs fail to accurately identify repository locations up to 85 percent of the time.
- Hallucination rates for trending resources can reach 100 percent.
- Repositories published in 2025 face a 92.4 percent mean hallucination rate.
- Older repositories published before 2019 have a low mean hallucination rate of 0.9 percent.
Scalable Risks for Modern Infrastructure
By registering the predicted hallucinated domains and seeding them with malicious payloads, hackers can gain control over distributed computing resources. These infected agents then serve as a foundation for high-impact criminal activities, ranging from large-scale cryptocurrency mining to distributed denial-of-service (DDoS) attacks. As noted by industry experts, this threat represents a fundamental shift in how AI-powered tools act as an attack vector.
Consequences for the Ecosystem
For businesses and developers, the reality of HalluSquatting necessitates a shift away from implicit trust in autonomous coding assistants. Relying on these tools to automatically fetch and execute resources introduces a significant security gap that requires manual verification of all external dependencies. The industry must now grapple with the fact that convenience-driven automation often masks deep, inherent vulnerabilities, forcing organizations to build more resilient workflows that assume AI systems will eventually be manipulated by external inputs.
Original reporting: Ars Technica
← Back to all stories