READ. SCROLL. LISTEN.

Original briefings. Zero spin.

Every story is an original briefing written from 60+ sources across the spectrum — sources linked so you can verify it yourself.

← Back to headlines

Researchers Find Nine AI Coding Tools Vulnerable to 'HalluSquatting' Attacks That Can Build Botnets at Scale

Researchers Find Nine AI Coding Tools Vulnerable to 'HalluSquatting' Attacks That Can Build Botnets at Scale
A newly documented attack technique called HalluSquatting exploits AI coding assistants' tendency to hallucinate package names, letting attackers pre-register those fake identifiers with malicious payloads. Nine widely used tools, including GitHub Copilot, Cursor, and Gemini CLI, are susceptible. No patch or systemic fix exists yet.

A team of security researchers published a paper on Wednesday describing HalluSquatting, a pull-based prompt injection technique capable of infecting large numbers of developer machines without targeting any individual victim.

What the Attack Does

AI coding assistants and agents regularly fetch packages, libraries, and other resources from external repositories and registries during normal work. These models frequentlyhallucinate resource identifiers, confidently citing package names or repository paths that do not actually exist. HalluSquatting — short for adversarial hallucination squatting — weaponizes that tendency. Attackers study which fake identifiers LLMs are most likely to invent, then register those names in real registries and seed them with malicious payloads: reverse shells, credential harvesters, or other malware. When an AI assistant hallucinates that identifier and fetches it, the malicious code runs. The researchers describe the attack's reach bluntly: "The scalable property of the attack enables the attacker to compromise a large number of users with minimal effort by targeting popular resources, thereby maximizing the likelihood that the squatted resource will be retrieved." These tools share a key trait: they operate with elevated system access, routinely hitting command lines to pull and execute third-party code. That combination — high privilege plus hallucination-prone retrieval — is what makes the exploit viable at scale.

Why This Is Different From Prior Prompt Injection

Most documented prompt injection attacks to date have beenpush-based: an attacker embeds malicious instructions in an email, calendar invite, or file and sends it to a specific target. Scale is inherently limited because each victim has to be individually reached. Pull-based attacks, where an LLM wanders out to the web and retrieves adversarial content on its own, have existed in theory but never scaled well. There was no reliable way to guarantee a large number of AI agents would visit any particular malicious site. HalluSquatting solves that problem by working with the AI's own predictable failure modes. The attacker does not need to lure anyone. The hallucination does the luring.

The Root Problem Nobody Has Fixed

The underlying vulnerability, according to reporting on the paper, is structural. Large language models cannot reliably distinguish between legitimate instructions and malicious ones embedded in third-party content they process. Developers have responded with guardrails designed to limit damage, not eliminate the flaw. That gap matters here. HalluSquatting does not need to bypass a guardrail. It exploits the model's retrieval behavior before any content-level filter even activates.

The Strongest Counterargument A reasonable defense of the current state of AI tooling is

that software ecosystems have always faced dependency and supply-chain attacks. Package squatting on npm, PyPI, and similar registries predates AI by years. Defenders argue that registry-level controls, dependency pinning, and code-review practices can mitigate this class of attack regardless of whether an AI assistant or a human engineer initiated the fetch. Requiring cryptographic verification of packages, or sandboxing AI agents away from privileged shells, are existing countermeasures that apply directly. These are fair points. The problem is that AI coding assistants are being marketed partly on their ability to autonomously find and integrate dependencies. Sandboxing them away from privileged terminals largely defeats the purpose. And the tools named in this paper all currently operate with that elevated access.

What Comes Next None of the

named vendors had issued a public patch or advisory as of Wednesday, according to the researchers' paper. The research team did not specify whether they followed coordinated disclosure with any of the affected vendors before publishing. The open question this research leaves unresolved: whether LLM providers can make hallucination-driven identifier generation predictable enough for registry operators to proactively block likely squatting targets, or whether the sheer combinatorial space of possible hallucinated names makes that defense impractical at scale.

Sources used for this briefing

This briefing was written by UBH's AI agent — these are the reporting inputs it draws on, linked so you can verify.

center-left
Ars TechnicaHackers can use 9 of the most popular AI tools to assemble massive botnets