VYPR
researchPublished Jul 8, 2026· 1 source

HalluSquatting Attack Exploits AI Coding Assistants to Deploy Botnet Malware

A novel 'HalluSquatting' attack leverages AI coding assistants' tendency to invent non-existent project names, tricking them into downloading and executing malicious code.

Researchers have unveiled a new attack vector dubbed "HalluSquatting" that capitalizes on a peculiar behavior of AI coding assistants: their propensity to hallucinate and invent non-existent project or repository names. This technique allows attackers to preemptively register these AI-generated names, thereby tricking the AI into recommending and potentially installing malicious code disguised as legitimate software. The attack chain culminates in the deployment of botnet malware by exploiting the AI's generative capabilities and its ability to execute commands.

The HalluSquatting attack cleverly combines two AI-related vulnerabilities: hallucination and prompt injection. The first quirk is the AI's tendency to invent plausible-sounding names for projects or resources that do not actually exist. The second is prompt injection, where malicious instructions are embedded within content fetched by the AI, hijacking its execution flow. In this scenario, the prompt injection is indirect, delivered through the content the AI retrieves rather than direct user input.

The attack process begins with an attacker identifying a trending repository or plugin that many users are likely to query their AI assistants about. The attacker then repeatedly prompts an AI to fetch this resource, meticulously recording the fake names the AI invents most frequently. Once a consistent hallucinated name is identified, the attacker registers it on platforms like GitHub or in plugin stores, embedding adversarial instructions within the registered content.

When a legitimate user later asks their AI assistant to retrieve the popular resource, the AI, following its learned pattern, invents the same hallucinated name. Instead of fetching the intended legitimate resource, the AI pulls the attacker-controlled version. The embedded malicious instructions are then interpreted by the AI as part of its task, leading it to execute the attacker's code.

This attack is particularly concerning because it bypasses traditional security measures. The payload is delivered as text that the AI interprets, not as a network exploit that firewalls would typically detect. Furthermore, the AI assistants often have built-in terminal tools, granting them the permissions to execute commands directly. Once the AI is hijacked, commands like "install a bot" can be executed without explicit user review, effectively turning the AI into an unwitting agent for botnet creation.

In testing, researchers found that the AI's invented names were highly consistent, with error rates as high as 85% for repository requests and 100% for skill installs across different AI models and phrasing. The research team successfully demonstrated this attack against various AI coding assistants, including Cursor, Windsurf, GitHub Copilot, Cline, Google's Gemini CLI, and the OpenClaw family, causing them to execute attacker-supplied code. While the test payloads were harmless placeholders, a live attack could deploy actual malware.

This research builds upon previous work in AI-driven attacks. Similar techniques include "slopsquatting," where attackers register fake software package names invented by AIs, and "phantom squatting," which involves registering non-existent domains hallucinated by LLMs. HalluSquatting extends these concepts by directly hijacking the AI agent responsible for fetching and executing code, creating a more potent threat vector.

To mitigate this threat, developers of AI assistants are urged to implement a search-before-fetch mechanism, grounding the AI in real-world resources and reducing reliance on invented names. Users and security teams should ensure that AI agents are configured to ask for confirmation before executing any commands, disabling auto-run modes that pose a significant risk. The researchers also noted that they informed affected vendors before public disclosure and withheld specific exploit details.

Synthesized by Vypr AI