Enterprise AI
HalluSquatting Exploits LLM Hallucinations to Assemble Agentic Botnets
Researchers from Tel Aviv University and Technion show how attackers register hallucinated resources to turn nine popular AI coding tools into vectors for large-scale prompt-injection attacks and botnet formation.
HalluSquatting is a technique that weaponizes LLMs' predictable hallucinations into the first scalable untargeted prompt-injection attacks on AI coding agents.
Enterprise adoption of AI coding assistants has accelerated rapidly in recent years as organizations seek productivity gains in software development. These tools integrate directly into workflows through IDE plugins and command-line interfaces that allow agents to clone repositories, install skills, and execute code autonomously. The integration creates new attack surfaces because the agents operate with elevated permissions and direct access to system shells.
Traditional security models focused on network perimeters and user authentication have not fully accounted for the autonomous decision-making capabilities now present in these systems. When an agent hallucinates a resource identifier, it may proceed to fetch and execute content from an attacker-controlled source without additional verification steps. This behavior stems from the statistical nature of language model training that favors plausible but incorrect outputs for novel or low-frequency tokens.
Background on AI Agent Security Risks
AI coding agents rely on external resources such as GitHub repositories and skill libraries to extend their functionality. Models are trained on vast datasets that include popular repositories but exhibit sharp drops in accuracy for recently published or niche items. This creates predictable failure modes where the model generates names that match attacker-registered domains rather than the intended legitimate resources.
Prior research on prompt injection has largely targeted specific applications or required direct user interaction. HalluSquatting differs by operating at the resource identification layer, allowing a single registration to affect any agent that hallucinates the same identifier. The attack requires no prior knowledge of individual targets and scales through the natural distribution of hallucination patterns across different models and fine-tunes.
Details of the HalluSquatting Attack
The attack begins when researchers or attackers identify high-probability hallucination targets by querying models with prompts that request resource recommendations. They then register those exact names on the relevant platforms and embed instructions that execute when the resource is accessed. The instructions leverage the integrated terminal capabilities present in most agentic applications to download and install reverse shells or botnet clients.
Testing across the nine affected tools demonstrated consistent success rates tied directly to the underlying hallucination statistics. For repositories published in 2025 the mean rate reached 92.4 percent while older repositories published before 2019 showed only 0.9 percent. Similar patterns appeared in skill installation scenarios where trending items reached 100 percent hallucination rates.
Technical Specifics of Resource Hallucination
The mechanism depends on the tokenizer and training data distribution within each model. New repositories receive fewer training examples, increasing the likelihood that the model will generate a similar but incorrect name. Attackers can further improve success by choosing names that align with common naming conventions used in open-source projects, such as descriptive prefixes or version indicators.
Once the agent resolves the hallucinated identifier to the attacker-controlled resource, execution occurs through the application's built-in shell or terminal interface. The embedded instructions run with the same privileges as legitimate operations, bypassing many existing security controls that assume user-initiated actions. The process leaves minimal forensic traces beyond standard package installation logs.
| Tool Name | Category | Vulnerability Mechanism |
|---|---|---|
| Cursor | AI Coding Assistant | Repository cloning via hallucinated GitHub names |
| Cursor CLI | Command Line Interface | Terminal execution of embedded scripts |
| Gemini CLI | Command Line Interface | Skill installation from hallucinated sources |
| Windsurf | AI Coding Assistant | Repository cloning via hallucinated GitHub names |
| GitHub Copilot | AI Coding Assistant | Repository cloning via hallucinated GitHub names |
| Cline | AI Coding Assistant | Repository cloning via hallucinated GitHub names |
| OpenClaw | AI Assistant | Skill installation from hallucinated sources |
| ZeroClaw | AI Assistant | Skill installation from hallucinated sources |
| NanoClaw | AI Assistant | Skill installation from hallucinated sources |
Market and Stakeholder Implications
Enterprise security teams must now evaluate AI coding tools not only for productivity benefits but also for their exposure to autonomous execution risks. The ability to create botnets at scale through untargeted means represents a shift from targeted malware campaigns to infrastructure-level threats that can affect thousands of independent deployments simultaneously.
Vendors of the affected tools face pressure to implement verification mechanisms for resource identifiers before execution. Potential mitigations include requiring cryptographic signatures on repositories or maintaining allow-lists of approved resources. Without such changes, organizations may need to restrict agent capabilities or implement additional monitoring on terminal activity.
Expert Reactions to the Research
By exploiting integrated shells and terminals of agentic applications to run scripts and code, attackers can effectively “infect” many independent agentic applications by embedding instructions to install reverse shells in the resources the attackers register.Aya Spira et al., Researchers
Michael Bargury, CTO of Zenity, described the findings as significant. The research highlights that the level of agency granted to these systems directly correlates with the potential damage from such attacks. Industry observers note that similar issues in traditional software ecosystems, such as typosquatting, have proven persistent despite awareness.
What's Next for Agentic AI Defenses
Future development of AI agents will likely incorporate explicit resource verification steps and reduced reliance on open-ended hallucination-prone recommendations. Researchers recommend that developers limit the autonomy of terminal access and require explicit user confirmation for actions involving external resources.
- Identify high-probability hallucination targets through model querying
- Register matching resource names on public platforms
- Embed malicious installation instructions in the registered content
- Wait for agents to hallucinate and fetch the resource
- Execute reverse shell or botnet payload through integrated terminals
Continued monitoring of hallucination rates across model updates will be necessary as training data evolves. The current findings establish a baseline for measuring the effectiveness of any deployed countermeasures in reducing the success rate of HalluSquatting attempts.
Frequently asked
How does HalluSquatting enable botnet creation?
HalluSquatting works by registering resources with names that LLMs are likely to hallucinate. When an agent fetches the resource it executes embedded instructions that install reverse shells, allowing the device to join a coordinated botnet.
Which organizations published the HalluSquatting research?
The research was conducted by Aya Spira, Elad Feldman, Avishai Wool, and Ben Nassi at Tel Aviv University along with Stav Cohen at Technion and Ron Bitton at Intuit.
What mitigation steps can enterprises take against HalluSquatting?
Enterprises can restrict terminal access in AI agents, require explicit confirmation for external resource operations, and maintain allow-lists of approved repositories and skills to reduce exposure to hallucinated identifiers.