Researchers from Tel Aviv University, Technion, and Intuit have detailed a new attack technique dubbed ‘HalluSquatting’ that turns AI assistants’ tendency to hallucinate into a scalable infection vector.
The cybersecurity community has identified several ways to hack or hijack AI tools through prompt injection delivered via channels such as emails, logs, comments, and messaging notifications.
These promptware attacks leverage the fact that the attacker has a direct channel to the targeted user’s LLM application.
HalluSquatting, on the other hand, has been described as a form of untargeted promptware that relies on a technique named adversarial hallucination squatting, in which threat actors can exploit AI applications at scale without a direct channel.
In a HalluSquatting attack, the attacker pre-registers the fake repository or package names that LLMs commonly invent when asked to fetch popular, trending resources.
The research team says hallucination rates in their tests reached as high as 85% for repo-cloning prompts and 100% for skill installations, and that the same hallucinated names tend to recur across different foundation models, making the technique broadly transferable.
Once the hallucinated repositories and packages are registered, the attacker can plant malicious instructions inside them.
When an unsuspecting user asks an AI tool like Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, or OpenClaw to clone a repository or install a skill, the assistant may hallucinate the squatted name, pull it down, and execute the attacker’s commands via its built-in terminal.
Those commands can direct the AI to run additional tools or code, potentially deploying various types of malware or hacking tools.
The HalluSquatting research has focused on using the technique to create agentic botnets whose size depends on how often AI tools hallucinate the attacker’s squatted resource.
Traditional botnets rely on vulnerabilities, weak security practices, and lateral movement. In contrast, agentic botnets spread via prompt injections that bypass traditional firewalls and can take root on virtually any device, resulting in a far more heterogeneous population of compromised hosts than botnets such as Mirai.
Affected vendors were notified before the publication of the HalluSquatting research, and the researchers withheld exploit details they believe could be directly reused by attackers.
Related: AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique
Related: Google Dialogflow CX Bug Allowed Attackers to Hijack AI Conversations
Related: Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection
Facts Only
* Researchers from Tel Aviv University, Technion, and Intuit detailed HalluSquatting.
* The technique turns AI assistants’ hallucination tendency into a scalable infection vector.
* Promptware attacks hack or hijack AI tools via prompt injection through channels like emails, logs, comments, and messaging notifications.
* HalluSquatting is an untargeted promptware relying on adversarial hallucination squatting.
* Attackers pre-register fake repository or package names that LLMs commonly invent.
* Hallucination rates reached 85% for repo-cloning prompts and 100% for skill installations in tests.
* Hallucinated names recur across different foundation models, making the technique broadly transferable.
* Unsuspecting users may prompt AI tools to clone repositories or install skills using these hallucinated names.
* The assistant may pull down the hallucinated resource and execute malicious instructions via its terminal.
* Agentic botnets can be created whose size depends on AI tool hallucination frequency.
Executive Summary
Full Take
Sentinel — Human
The text appears to be an accurate summary of technical research, exhibiting the structure and specific detail often found in human-authored reporting on cybersecurity findings, though the statistical claims require external verification.
