HalluSquatting Exploits AI Coding Assistants to Deliver Malware

New research shows attackers can exploit predictable AI hallucinations to register fake repositories and trick coding assistants into executing malicious code.
AI coding assistant suggesting a Git repository to clone inside a development environment, illustrating the HalluSquatting attack where hallucinated repository names can lead to malicious code execution.

AI coding assistants have become a common part of software development, helping developers clone repositories, install dependencies, and execute commands with minimal user interaction. New research suggests that convenience can also create a new attack surface.

Researchers from Tel Aviv University, Technion, and Intuit have introduced a technique called HalluSquatting, which exploits the tendency of large language models (LLMs) to hallucinate software repository and package names. Instead of compromising legitimate projects, attackers can register the fake resource names that AI assistants consistently invent, causing the assistants to retrieve attacker-controlled content and potentially execute malicious code.

The researchers demonstrated the technique against several popular AI coding tools, including Cursor, GitHub Copilot, Windsurf, Cline, Gemini CLI, OpenClaw, ZeroClaw, and NanoClaw, achieving remote tool execution and remote code execution under certain conditions.

Turning AI mistakes into an attack vector

Rather than relying on traditional phishing or software supply chain compromises, HalluSquatting targets the decision-making process of AI assistants themselves.

The attack begins by identifying a popular or recently released repository that developers are likely to request. Because newly published projects may not exist in an LLM’s training data, AI assistants are more likely to guess the repository name instead of retrieving the correct one.

Researchers found these guesses are often surprisingly consistent. Attackers can repeatedly query an AI assistant, identify the hallucinated repository names it generates most frequently, register those repositories on GitHub or other software marketplaces, and embed malicious instructions inside them.

When another user later asks an AI coding assistant to clone the legitimate project, the assistant may instead retrieve the attacker-controlled repository. If the assistant has permission to execute commands automatically, embedded prompt injection instructions can direct it to download malware, execute scripts, or perform other malicious actions.

High hallucination rates increase the risk

According to the researchers, hallucinated resource names appeared in up to 85% of repository cloning scenarios and reached 100% during skill installation testing. More importantly, many hallucinations were transferable across different prompts and multiple foundation models, meaning attackers can predict the same incorrect resource names across several AI assistants.

The researchers describe this predictability as the key innovation behind HalluSquatting. Instead of waiting for users to make typing mistakes, similar to traditional typosquatting attacks, threat actors exploit AI systems that consistently generate the same incorrect repository names.

The study refers to this as adversarial hallucination squatting because attackers intentionally register hallucinated resources before legitimate developers have an opportunity to use those names.

From prompt injection to malware execution

The researchers describe HalluSquatting as combining two existing attack techniques into a single workflow.

First, the AI assistant hallucinates an incorrect repository or package identifier. After retrieving the attacker-controlled resource, hidden prompt injection instructions manipulate the assistant into executing additional commands using its built-in tools.

The diagram below illustrates the HalluSquatting attack chain described in the research paper.

Overview of the HalluSquatting attack chain. An attacker pre-registers repository or package names that AI coding assistants are likely to hallucinate, allowing the assistant to retrieve attacker-controlled content, execute hidden prompt injections, and potentially install malware through its built-in tools.
Image credit: Tel Aviv University, “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting.” Available at: https://sites.google.com/view/agentic-botnets/home

Rather than exploiting a software vulnerability, the attack abuses the permissions already granted to modern AI coding assistants. Many agentic development tools can access the terminal, download files, install software, and execute scripts on behalf of the user.

Researchers recommend stronger verification

The paper emphasizes that HalluSquatting is not tied to a single vendor or vulnerability. Instead, it stems from the way many LLM-powered applications resolve software resources and interact with external content.

To reduce the risk, the researchers recommend requiring AI assistants to verify repository names through live searches before cloning or installing resources, keeping human approval enabled before executing terminal commands, and avoiding fully autonomous execution modes that allow agents to run downloaded code without review.

The researchers also suggest repository hosting platforms could proactively reserve or block commonly hallucinated repository names, similar to defenses already used against typosquatting attacks.

The team said affected vendors, foundation model providers, and marketplace operators were notified before publication, and implementation details that could directly facilitate exploitation were intentionally withheld from the public research.

Sources

X
LinkedIn
Reddit
Telegram
WhatsApp
Threads
Facebook
Email
Print
Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

Newsletter signup

Get the latest data breach and security news.

Please wait...

Thank you for signing up!

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map