// 2 ZERO-DAY · 4 CVE · 4 EXPLOIT · 1 ADVISORY IN THE LAST 24H
Researchers from Tel Aviv University, Technion, and Intuit demonstrated that nine AI coding tools install botnet malware when asked for non-existent software. The attack, dubbed HalluSquatting, exploits a previously underestimated property of LLMs: hallucinations are not random but consistent and predictable across models, achieving success rates up to 85% on trending repositories and 100% on skill installations.

Researchers from Tel Aviv University, Technion, and Intuit have demonstrated that nine AI coding tools install botnet malware when prompted for software that does not exist. The attack, dubbed HalluSquatting, exploits a previously underestimated property of LLMs: hallucinations are not random, but consistent and predictable. Aya Spira, Elad Feldman, Avishai Wool, Ben Nassi, Stav Cohen, and Ron Bitton presented their findings on July 7, 2026, with responsible disclosure conducted in advance to prevent immediate replication.

Key Takeaways
  • Nine AI assistants — including Cursor, Gemini CLI, GitHub Copilot, and Windsurf — are vulnerable to HalluSquatting, with hallucination rates up to 85% on trending repositories and 100% on skill installations.
  • Hallucinations are consistent across different models: the same non-existent repository names are generated repeatedly, making the attack predictable and scalable without individual targeting.
  • The most exploitable pattern is "self-referential" (identical owner/repo-name), which requires no model probing and works across multiple tools without adaptation.
  • The payload arrives as text read by the AI itself, not as a network exploit: once fetched, the malicious content induces the agent to execute commands via the integrated terminal, using its own permissions.

The Four-Stage Mechanism: From Invented Name to Operational Botnet

HalluSquatting is neither traditional malware nor a network exploit. The vector is architectural: the AI agent conflates the name of a repository the user requests with the action of downloading and executing it. The mechanism unfolds in four stages. The user asks for a package or skill; the assistant hallucinates a plausible but non-existent name; the attacker has already registered that name on a public repository or skill store; the AI downloads the content, reads the malicious instructions, and executes them through the integrated terminal.

The escalation point is precisely this terminal. The injection is indirect: the payload does not arrive from the user's prompt, but from content the agent retrieves autonomously. As The Hacker News summarized, "the AI is the delivery van, not the cargo." Once executed, the script can aggregate compromised machines into a botnet for mining or DDoS activity, according to the paper cited by Ars Technica.

Why Hallucinations Become Predictable

The crucial discovery — and the one that transforms a language error into a security vulnerability — is cross-model consistency. As documented by The Hacker News, "the error was consistent: with different phrasings and across models from different companies, the assistant arrived at the same wrong name." This predictability allows the attacker to squat before the victim even makes the request, eliminating the need for individual targeting.

Ars Technica highlighted a sharp temporal correlation: for repositories published before 2019, the average hallucination rate is only 0.9%; for 2025 repositories it rises to 92.4%. The model hallucinates more when its training data is older than the request — exactly the case with "trending" software the user seeks but the system does not know. The "self-referential" pattern — where the repository name is treated as the owner, generating pairs like repo-name/repo-name — is the most exploitable because it requires zero prior knowledge of the model and works across multiple platforms without customization.

"Attacks always get better; they never get worse." — Aya Spira et al., cited by The Hacker News

Operational Context: From Phantom Squatting to Code Execution

HalluSquatting does not emerge from a vacuum. Palo Alto Networks' Unit 42 documented a related threat class in 2025, Phantom Squatting, with approximately 250,000 unregistered hallucinated domains and a prediction window of 18-51 days before attackers purchased them. In the Montana Empire case, the lead time was 23 days. However, Phantom Squatting was limited to web domains; HalluSquatting elevates the concept to code execution on local machines, via autonomous agents with shell access and system permissions.

A contextual data point makes the exposure immediate. In January 2026, Charlie Eriksen of Aikido Security found the npm package react-codeshift — invented by an AI and non-existent in official repositories — in 237 real projects. By June 2026, Trail of Bits demonstrated that malicious skills bypass store checks in under an hour. The AI-to-AI supply chain is already active; HalluSquatting exploits its logic without needing to compromise existing infrastructure.

Immediate Actions

  • Manually verify the name and provenance of every repository or skill before authorizing installation, especially when the AI assistant suggests packages not explicitly requested by the user.
  • Disable "auto-run" or "skip-permissions" modes in tools that support them, so code execution requires explicit confirmation.
  • Isolate development environments where AI agents operate with elevated privileges, limiting access to network resources and shared storage.
  • Monitor execution logs of integrated terminals in AI assistants, with particular attention to fetches toward non-whitelisted repositories or recently registered domains.

A Structural Flaw That Evades Traditional Patches

The core problem with HalluSquatting is that it does not reside in a single bug fixable with a patch. The AI assistant must generate plausible names to function; it must integrate with external repositories to be useful; it must execute code to perform the requested task. Every single function is legitimate; the composition is lethal. As Bruce Schneier analyzed in 2024 regarding data-control path insecurity, the overlap between data path and control path is an architectural weakness, not an implementation error.

The researchers proposed mitigations including human verification of generated names, whitelisting known repositories, and "planner training" techniques to reduce hallucination frequency. However, the brief does not document whether vendors have deployed specific updates or which tools have implemented these countermeasures. No infrastructure overlaps linking the attack to known operators emerge at this stage.

Frequently Asked Questions

Does the attack require the victim to manually install software?

No. The user does not need to recognize or explicitly approve the hallucinated package: the AI agent searches for it, downloads it, and executes it autonomously, often without interrupting the workflow.

Because LLM training data has a cutoff date. Recent repositories are not in the training data, so the model must invent a plausible name; for historical ones, knowledge is solid and hallucination drops to 0.9%.

Are all nine tested tools equally vulnerable?

Success rates vary, but the self-referential pattern worked on all nine without platform-specific adaptation. The attack's scalability derives precisely from this cross-platform portability.

The traditional line of defense — firewalls, EDR, network segmentation — does not intercept a payload that arrives as text read and re-executed by the AI itself. HalluSquatting shifts the attack perimeter from the server to the agent, and from the agent to blind trust in the name it generated.

Sources

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. thehackernews.com
  2. schneier.com
  3. arstechnica.com
  4. prismnews.com
  5. news.shield53.com
  6. unit42.paloaltonetworks.com
  7. thehackernews.uk