News·4 min read

Agentic Botnets Attack Uses HalluSquatting to Hijack AI Coding Assistants

A newly disclosed attack technique, called adversarial hallucination squatting (HalluSquatting), developed by researchers at Tel Aviv University and Technion, exploits the predictable tendency of larg

CS
CyberShield Team
2026-07-09
Share:
Agentic Botnets Attack Uses HalluSquatting to Hijack AI Coding Assistants

A newly disclosed attack technique, called adversarial hallucination squatting (HalluSquatting), developed by researchers at Tel Aviv University and Technion, exploits the predictable tendency of large language models to hallucinate resource identifiers. According to Google, enabling attackers to hijack popular AI coding assistants at scale and assemble them into a botnet. HalluSquatting works by having attackers […] The post Agentic Botnets Attack Uses HalluSquatting to Hijack AI Coding Assistants appeared first on Cyber Security News.

A newly disclosed attack technique, called adversarial hallucination squatting (HalluSquatting), developed by researchers at Tel Aviv University and Technion, exploits the predictable tendency of large language models to hallucinate resource identifiers. According to Google, enabling attackers to hijack popular AI coding assistants at scale and assemble them into a botnet. HalluSquatting works by having attackers preemptively register resources such as repository names or AI “skills” that LLMs are statistically likely to hallucinate when responding to common developer prompts like “clone repository” or “install skill”. By probing foundational models to compute a distribution of the most probable hallucinated names, attackers identify high-probability “universal squatting candidates” and plant adversarial prompts inside those fake resources before a real user ever asks. Agentic Botnets Attack Uses HalluSquatting This approach is conceptually similar to slopsquatting, in which attackers publish malicious packages under names that AI coding tools frequently invent, but HalluSquatting extends the concept beyond software packages to a broader class of agentic resources and demonstrates its use for full botnet recruitment. The attack unfolds in a chain: an attacker first tracks trending repositories or skills and probes an oracle to build a hallucination distribution, then registers the highest-probability fake resource embedded with malicious instructions. When a legitimate user later asks an AI coding assistant to perform a routine task, the application’s planner hallucinates a reference to the squatted resource instead of the real one, retrieves it, and the poisoned content hijacks the agent’s context, triggering an unauthorized tool invocation. Attack Flow (Source: google) Tel Aviv University demonstrated hallucination rates as high as 85 percent in repository-cloning scenarios and up to 100 percent in skill-installation scenarios, with hallucinations transferring reliably across different foundational models and prompts. Affected Tools The technique was shown to enable remote tool and remote code execution across a wide range of production AI coding assistants and agentic platforms, exposing a supply-chain-style risk for tools that rely on integrated terminals. CategoryAffected ToolsAI coding assistantsCursor, Cursor CLI, Windsurf, GitHub Copilot, ClineCLIsGemini CLIAutonomous assistantsOpenClaw, ZeroClaw, NanoClaw Technion team noted that “auto-run” or permission-bypass modes, such as skip-permissions flags or “yolo mode” in some CLIs, significantly widen the exposure window, since they allow an agent to execute fetched code without human review. Unlike traditional targeted prompt injection delivered via emails or calendar invites, HalluSquatting is untargeted and pull-based: it requires no direct channel to the victim application, since the victim’s own agent “pulls” the poisoned resource from the internet during normal operation. This shifts prompt injection from a bespoke, one-target-at-a-time technique into a scalable mechanism resembling classic botnet propagation, where a single squatted resource can compromise any agent that happens to hallucinate its way to it. Mitigations The Tel Aviv University and Technion team responsibly disclosed the findings to affected vendors, model providers, and marketplace maintainers, and proposed layered mitigations rather than a single fix. Require a search-tool invocation before any fetch operation, biasing planners toward verifying resource names rather than trusting hallucinated ones Analyze user prompts and generated execution plans for retrieval-intent keywords (“clone,” “install,” “fetch”) to enforce a mandatory verification step Disable auto-run and permission-skipping modes when agents handle freshly fetched, unverified content The findings underscore that as AI coding assistants gain more autonomy and terminal access, their own hallucinations are becoming an exploitable attack surface one that mirrors, and could eventually surpass, the scale of traditional botnet infrastructure. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post Agentic Botnets Attack Uses HalluSquatting to Hijack AI Coding Assistants appeared first on Cyber Security News.

Share:

Join the Discussion

Comments coming soon. Follow us on social media for real-time discussions.