How HalluSquatting Turns AI Coding Agents Into Botnet Risks

Researchers describe HalluSquatting as a pull-based prompt-injection attack that targets AI coding assistants and agents. It exploits hallucinated repository and skill identifiers, potentially enabling botnets, DDoSes, ransomware campaigns, and cryptocurrency mining.

WTF Index TERMINATOR
◄ Terminator 4 Idiocracy 1 ►

The story centers on AI coding agents being exploited for scalable malware, botnet, ransomware, DDoS, and cryptomining risks.

How HalluSquatting Turns AI Coding Agents Into Botnet Risks

HalluSquatting is a newly described prompt-injection technique that moves AI security risk from one-off targeting toward attacks that can scale across many developer machines. The issue centers on AI coding assistants and agents that fetch code, repositories, skills, and other resources while working through normal development tasks.

Researchers say the attack affects Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw. The risk comes from a familiar weakness in large language models: when asked to find a resource, they may invent an incorrect location instead of refusing or saying they do not know.

Why HalluSquatting Changes The Prompt-Injection Risk

Prompt injection has already become a major AI security concern because large language models cannot reliably separate trusted user instructions from hostile instructions hidden in content they process. That content can include emails, source code, calendar invitations, websites, repositories, and other third-party material.

Many prompt-injection attacks are push-based. In that model, the attacker places malicious instructions inside something sent to a particular victim, such as an email or calendar invitation. That makes the attack dangerous, but it also limits scale because each target has to receive the malicious content.

Pull-based attacks work differently. The model or agent goes out and retrieves content that already exists somewhere else. Until now, that approach has been limited because attackers had no easy way to make large numbers of LLMs visit a malicious site.

HalluSquatting changes that by focusing on resources that AI coding assistants and agents already look for in their normal workflow. These tools often pull code and related material from repositories and registries, and they may do so through command-line access that can run scripts or code.

How The Attack Works

HalluSquatting is short for adversarial hallucination squatting. The technique relies on the fact that LLMs may hallucinate resource identifiers hosted in repositories and registries. When a user asks an agent to clone a repository or install a skill, the tool may navigate to a fabricated but plausible location.

Researchers found that this can happen at high rates for newer and trending resources. When a developer instructs a coding agent to clone a popular new repository, the LLM hallucinates its correct location up to 85 percent of the time. When cloning a trending “skill,” hallucinations can occur 100 percent of the time.

The attacker does not need to compromise the real project. Instead, the attacker predicts the wrong identifiers that models are likely to invent, checks whether those identifiers can be registered, and then creates a repository or skill at that location.

The malicious resource can then contain instructions or code that cause the agent to install a reverse shell or other malicious wares. Because coding agents and assistants may have access to integrated shells and terminals, they can follow those instructions on the user’s machine.

  • The user requests a repository or skill.
  • The LLM fabricates an incorrect identifier.
  • The attacker has already registered that likely hallucinated location.
  • The agent retrieves the attacker-controlled resource.
  • The agent may run instructions or code from that resource.

The Link To Typosquatting

The “squatting” part of HalluSquatting refers to typosquatting, an older attack pattern in which a malicious domain, package, or resource identifier imitates a legitimate one. The goal is to make users visit or install the wrong thing.

The source article points to a 2016 example in which a college student uploaded 214 booby-trapped packages to the PyPI, RubyGems, and NPM repositories. Those packages closely mimicked legitimate package names. The imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half were given all-powerful administrative rights.

HalluSquatting applies a related idea to AI-generated mistakes. Instead of waiting for a human to mistype a name, the attacker waits for a model to produce a predictable but wrong repository or skill location.

Why Newer Resources Are More Exposed

The researchers say HalluSquatting focuses on trending resources because they are less likely to be included in LLM training and can receive large numbers of downloads over a short period of time. That combination matters: the model is more likely to guess, and many users may be trying to retrieve the same resource.

The issue appears across major models named in the source article: Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5, and Opus-4.5. Researchers also found that the hallucinated locations can follow predictable patterns.

One pattern described as self-referential produces repo-name/repo-name slugs that treat a repository name as the owner. The source article says exploiting that pattern requires no model probing.

The age of the resource also matters. LLMs correctly resolve repositories published before 2019 with a low mean hallucination rate of just 0.9 percent. For repositories published in 2025, the same models fabricate slugs with a mean hallucination rate of 92.4 percent.

What The Consequences Could Be

The researchers describe HalluSquatting as a way to compromise many independent agentic applications with minimal effort by targeting popular resources. Because the attack can spread through resources that many tools may retrieve, it has the potential to create outcomes that earlier prompt-injection attacks could not easily reach.

Those outcomes include massive botnets, large-scale DDoSes, device infections at scale, large ransomware campaigns, and cryptocurrency mining. The common thread is distributed access: once many machines are under attacker control, the attacker can use them for work that benefits from scale.

The researchers are Aya Spira, Elad Feldman, Avishai Wool, and Ben Nassi of Tel Aviv University, Stav Cohen of Technion, and Ron Bitton of Intuit. Their work frames HalluSquatting as a new form of AI security risk created by the intersection of hallucinations, software supply chains, and agentic tools with command-line access.