# HalluSquatting Exploits LLM Hallucinations to Assemble Agentic Botnets

> Researchers from Tel Aviv University and Technion show how attackers register hallucinated resources to turn nine popular AI coding tools into vectors for large-scale prompt-injection attacks and botnet formation.

*Published 2026-07-08 · By The Intel Desk*

HalluSquatting is a technique that weaponizes LLMs' predictable hallucinations into the first scalable untargeted prompt-injection attacks on AI coding agents.

Enterprise adoption of AI coding assistants has accelerated rapidly in recent years as organizations seek productivity gains in software development. These tools integrate directly into workflows through IDE plugins and command-line interfaces that allow agents to clone repositories, install skills, and execute code autonomously. The integration creates new attack surfaces because the agents operate with elevated permissions and direct access to system shells.

Traditional security models focused on network perimeters and user authentication have not fully accounted for the autonomous decision-making capabilities now present in these systems. When an agent hallucinates a resource identifier, it may proceed to fetch and execute content from an attacker-controlled source without additional verification steps. This behavior stems from the statistical nature of language model training that favors plausible but incorrect outputs for novel or low-frequency tokens.

## Background on AI Agent Security Risks

AI coding agents rely on external resources such as GitHub repositories and skill libraries to extend their functionality. Models are trained on vast datasets that include popular repositories but exhibit sharp drops in accuracy for recently published or niche items. This creates predictable failure modes where the model generates names that match attacker-registered domains rather than the intended legitimate resources.

Prior research on prompt injection has largely targeted specific applications or required direct user interaction. HalluSquatting differs by operating at the resource identification layer, allowing a single registration to affect any agent that hallucinates the same identifier. The attack requires no prior knowledge of individual targets and scales through the natural distribution of hallucination patterns across different models and fine-tunes.

## Details of the HalluSquatting Attack

The attack begins when researchers or attackers identify high-probability hallucination targets by querying models with prompts that request resource recommendations. They then register those exact names on the relevant platforms and embed instructions that execute when the resource is accessed. The instructions leverage the integrated terminal capabilities present in most agentic applications to download and install reverse shells or botnet clients.

Testing across the nine affected tools demonstrated consistent success rates tied directly to the underlying hallucination statistics. For repositories published in 2025 the mean rate reached 92.4 percent while older repositories published before 2019 showed only 0.9 percent. Similar patterns appeared in skill installation scenarios where trending items reached 100 percent hallucination rates.

## Technical Specifics of Resource Hallucination

The mechanism depends on the tokenizer and training data distribution within each model. New repositories receive fewer training examples, increasing the likelihood that the model will generate a similar but incorrect name. Attackers can further improve success by choosing names that align with common naming conventions used in open-source projects, such as descriptive prefixes or version indicators.

Once the agent resolves the hallucinated identifier to the attacker-controlled resource, execution occurs through the application's built-in shell or terminal interface. The embedded instructions run with the same privileges as legitimate operations, bypassing many existing security controls that assume user-initiated actions. The process leaves minimal forensic traces beyond standard package installation logs.

Nine AI Tools Affected by HalluSquatting AttacksTool NameCategoryVulnerability MechanismCursorAI Coding AssistantRepository cloning via hallucinated GitHub namesCursor CLICommand Line InterfaceTerminal execution of embedded scriptsGemini CLICommand Line InterfaceSkill installation from hallucinated sourcesWindsurfAI Coding AssistantRepository cloning via hallucinated GitHub namesGitHub CopilotAI Coding AssistantRepository cloning via hallucinated GitHub namesClineAI Coding AssistantRepository cloning via hallucinated GitHub namesOpenClawAI AssistantSkill installation from hallucinated sourcesZeroClawAI AssistantSkill installation from hallucinated sourcesNanoClawAI AssistantSkill installation from hallucinated sources

## Market and Stakeholder Implications

Enterprise security teams must now evaluate AI coding tools not only for productivity benefits but also for their exposure to autonomous execution risks. The ability to create botnets at scale through untargeted means represents a shift from targeted malware campaigns to infrastructure-level threats that can affect thousands of independent deployments simultaneously.

Vendors of the affected tools face pressure to implement verification mechanisms for resource identifiers before execution. Potential mitigations include requiring cryptographic signatures on repositories or maintaining allow-lists of approved resources. Without such changes, organizations may need to restrict agent capabilities or implement additional monitoring on terminal activity.

## Expert Reactions to the Research

> By exploiting integrated shells and terminals of agentic applications to run scripts and code, attackers can effectively “infect” many independent agentic applications by embedding instructions to install reverse shells in the resources the attackers register.Aya Spira et al., Researchers

Michael Bargury, CTO of Zenity, described the findings as significant. The research highlights that the level of agency granted to these systems directly correlates with the potential damage from such attacks. Industry observers note that similar issues in traditional software ecosystems, such as typosquatting, have proven persistent despite awareness.

## What's Next for Agentic AI Defenses

Future development of AI agents will likely incorporate explicit resource verification steps and reduced reliance on open-ended hallucination-prone recommendations. Researchers recommend that developers limit the autonomy of terminal access and require explicit user confirmation for actions involving external resources.

- Identify high-probability hallucination targets through model querying
- Register matching resource names on public platforms
- Embed malicious installation instructions in the registered content
- Wait for agents to hallucinate and fetch the resource
- Execute reverse shell or botnet payload through integrated terminals

Continued monitoring of hallucination rates across model updates will be necessary as training data evolves. The current findings establish a baseline for measuring the effectiveness of any deployed countermeasures in reducing the success rate of HalluSquatting attempts.

## Sources

1. [We show that attackers can exploit predictable LLM hallucinations of resource identifiers to launch scalable, untargeted prompt injection attacks... up to 85% in repository cloning scenarios and up to 100% in skill installation... against various LLM applications... including AI coding assistants (Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline), CLIs (Gemini CLI), and assistants (OpenClaw, ZeroClaw, and NanoClaw)](https://sites.google.com/view/agentic-botnets/home)
2. [A new attack the researchers have named HalluSquatting has the potential to assemble massive botnets, perform large-scale DDoSes, and infect devices at scale, a first for prompt-injection attacks. The attack works against AI coding assistants and agents, including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw](https://arstechnica.com/security/2026/07/hackers-can-use-9-of-the-most-popular-ai-tools-to-assemble-massive-botnets)

---
Source: https://aiintelreport.com/enterprise-ai/hallusquatting-exploits-ai-tools-for-botnets
Index: https://aiintelreport.com/llms.txt · Full text: https://aiintelreport.com/llms-full.txt
