Vulnerability  ·  2026-07-11

HalluSquatting — Adversarial Hallucination Squatting Enables Botnet Distribution via AI Coding Assistants

VulnerabilityHigh impactGlobal
Researchers from Tel Aviv University, Technion, and Intuit published 'Beware of Agentic Botnets,' introducing adversarial hallucination squatting: attackers predict which non-existent package/repo/skill names LLMs are most likely to hallucinate when asked to fetch trending resources, preemptively register those names with malicious payloads, and wait for AI coding agents to autonomously fetch and execute them. The technique achieved hallucination rates up to 85% (existing repos) and 92.4% (post-cutoff repos/skills) and was demonstrated to achieve remote tool execution and RCE against Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline, Gemini CLI, OpenClaw, ZeroClaw, and NanoClaw.
Unlike prior prompt injection which requires attacker-controlled push channels (email, calendar invites) limiting scale, this is a pull-based, zero-interaction, untargeted attack — a single planted malicious package can be fetched automatically by any developer's agent that has autonomous file-fetch-and-execute capability, with no phishing click, credential entry, or user deception required. It affects nearly every major AI coding assistant simultaneously since the hallucination pattern (especially self-referential owner/repo naming) is consistent across GPT-5.1/5.2, Claude Sonnet-4.5/Opus-4.5, and Gemini-2.5, making it a structural, cross-vendor architecture flaw rather than a single-vendor bug.
Attacker registers hallucinated package/repo/skill names predicted via LLM-hallucination-distribution analysis on popular platforms (GitHub etc.), embeds malicious install/execution scripts; AI coding agent autonomously fetches and executes the poisoned resource when a developer asks it to clone or install a trending resource
Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline, Gemini CLI, OpenClaw, ZeroClaw, NanoClaw (AI coding agents with autonomous fetch/execute tool access)
Disable autonomous/auto-approve execution modes for untrusted code fetches; implement package/repo allowlisting against authoritative registries; verify AI-suggested dependencies manually before install; no single patch available — vendors were notified pre-disclosure
arXiv — Beware of Agentic BotnetsSecurityWeek
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →