Skip to content
Chimera readability score 82 out of 100, Specialist reading level.

Researchers from Tel Aviv University, Technion, and Intuit have detailed a new attack technique dubbed ‘HalluSquatting’ that turns AI assistants’ tendency to hallucinate into a scalable infection vector.
The cybersecurity community has identified several ways to hack or hijack AI tools through prompt injection delivered via channels such as emails, logs, comments, and messaging notifications.
These promptware attacks leverage the fact that the attacker has a direct channel to the targeted user’s LLM application.
HalluSquatting, on the other hand, has been described as a form of untargeted promptware that relies on a technique named adversarial hallucination squatting, in which threat actors can exploit AI applications at scale without a direct channel.
In a HalluSquatting attack, the attacker pre-registers the fake repository or package names that LLMs commonly invent when asked to fetch popular, trending resources.
The research team says hallucination rates in their tests reached as high as 85% for repo-cloning prompts and 100% for skill installations, and that the same hallucinated names tend to recur across different foundation models, making the technique broadly transferable.
Once the hallucinated repositories and packages are registered, the attacker can plant malicious instructions inside them.
When an unsuspecting user asks an AI tool like Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, or OpenClaw to clone a repository or install a skill, the assistant may hallucinate the squatted name, pull it down, and execute the attacker’s commands via its built-in terminal.
Those commands can direct the AI to run additional tools or code, potentially deploying various types of malware or hacking tools.
The HalluSquatting research has focused on using the technique to create agentic botnets whose size depends on how often AI tools hallucinate the attacker’s squatted resource.
Traditional botnets rely on vulnerabilities, weak security practices, and lateral movement. In contrast, agentic botnets spread via prompt injections that bypass traditional firewalls and can take root on virtually any device, resulting in a far more heterogeneous population of compromised hosts than botnets such as Mirai.
Affected vendors were notified before the publication of the HalluSquatting research, and the researchers withheld exploit details they believe could be directly reused by attackers.
Related: AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique
Related: Google Dialogflow CX Bug Allowed Attackers to Hijack AI Conversations
Related: Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection

Facts Only

* Researchers from Tel Aviv University, Technion, and Intuit detailed HalluSquatting.
* The technique turns AI assistants’ hallucination tendency into a scalable infection vector.
* Promptware attacks hack or hijack AI tools via prompt injection through channels like emails, logs, comments, and messaging notifications.
* HalluSquatting is an untargeted promptware relying on adversarial hallucination squatting.
* Attackers pre-register fake repository or package names that LLMs commonly invent.
* Hallucination rates reached 85% for repo-cloning prompts and 100% for skill installations in tests.
* Hallucinated names recur across different foundation models, making the technique broadly transferable.
* Unsuspecting users may prompt AI tools to clone repositories or install skills using these hallucinated names.
* The assistant may pull down the hallucinated resource and execute malicious instructions via its terminal.
* Agentic botnets can be created whose size depends on AI tool hallucination frequency.

Executive Summary

Researchers from Tel Aviv University, Technion, and Intuit detailed a new attack technique called ‘HalluSquatting,’ which exploits the tendency of AI assistants to hallucinate into a scalable infection vector. This method involves promptware attacks delivered through channels like emails, logs, comments, and messaging notifications to hijack AI tools via prompt injection. HalluSquatting is a form of untargeted promptware utilizing adversarial hallucination squatting, where threat actors exploit AI applications at scale without direct access. Attackers pre-register fake repository or package names that LLMs commonly invent when asked to fetch trending resources. When a user prompts an AI tool (such as Cursor, GitHub Copilot, or Gemini CLI) to clone a repository or install a skill using these hallucinated names, the assistant may execute the attacker's commands via its terminal. These commands can lead to the deployment of malware or hacking tools. The research indicates that hallucination rates reached 85% for repo-cloning prompts and 100% for skill installations in tests. The hallucinated names tend to be transferable across different foundation models.

Full Take

The mechanism of HalluSquatting highlights a critical vulnerability in the trust relationship between users and generative AI systems, moving beyond traditional security boundaries enforced by firewalls toward exploiting semantic drift within the model's own knowledge representation. The core implication is that systemic failures in grounding—where the LLM’s output does not accurately reflect verifiable reality—can be weaponized at scale, bypassing perimeter defenses entirely through internal logic manipulation rather than external exploitation. The transition from traditional botnets based on network vulnerabilities to agentic botnets via prompt injection represents an evolution where the attack surface shifts from compromised endpoints to the very semantics of the AI reasoning process itself. The concept of adversarial hallucination squatting demonstrates that information entropy, rather than mere access control, can become the scalable vector for compromise. This suggests that cognitive sovereignty is threatened not just by external threats but by the internal, unverified pathways through which complex systems generate actionable outputs. What are the implications if this method is applied to critical infrastructure agents operating autonomously? What safeguards must exist within agentic frameworks to ensure that hallucination remains confined to the generative space and cannot translate into actual, executable actions in the environment?

Sentinel — Human

Confidence

The text appears to be an accurate summary of technical research, exhibiting the structure and specific detail often found in human-authored reporting on cybersecurity findings, though the statistical claims require external verification.

Signals Detected
low severity: Moderate sentence length variance; technical focus maintains a specific rhythm.
low severity: High internal consistency; the flow from concept (hallucination) to technique (squatting) to application (botnets) is logical.
low severity: Attribution is specific (Tel Aviv University, Technion, Intuit); reference to affected vendors and withheld details suggests source-based reporting.
medium severity: Claims regarding hallucination rates (85%, 100%) are presented as direct research findings, which requires verification of the underlying study context.
Human Indicators
Specific attribution to academic/industry entities (Tel Aviv University, Technion, Intuit) suggests a grounding in real-world research.
The discussion of contrasting botnet types (agentic vs. Mirai) shows nuanced comparative reasoning beyond simple aggregation.
‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery Mechanism — Arc Codex