Ai Coding 3 min read

HalluSquatting Turns AI Package Hallucinations Into Botnets

A novel pull-based attack called HalluSquatting exploits LLM hallucinations to trick popular AI coding assistants into executing malicious code.

On July 8, 2026, researchers publicly disclosed HalluSquatting, a pull-based prompt-injection technique that exploits large language models hallucinating non-existent resource identifiers. By registering malicious code under hallucinated domains or package names, attackers use AI coding assistants and autonomous agents to assemble botnet nodes on developer machines.

The Pull-Based Attack Vector

Unlike traditional push attacks that rely on phishing or direct targeting, HalluSquatting leverages the inherent predictive behavior of LLMs. A research team led by Spira et al., with validation from Palo Alto Networks’ Unit 42, identified that models consistently hallucinate the same package names and URLs when queried on topics with sparse training data. Understanding why AI hallucinates reveals why this consistency occurs: models predict plausible but fictitious strings based on syntax patterns.

Attackers monitor these common hallucinations and proactively register them on public registries like PyPI and npm, or as standard web domains. When an AI tool suggests the hallucinated resource to solve a developer’s problem, the victim or the autonomous agent initiates the download, executing malware such as reverse shells.

Affected Tools and Scope

The research confirms that 9 major tools are susceptible. Because these systems often hold high-privilege access to local command lines and cloud environments, they serve as highly effective distribution mechanisms for malicious payloads.

The affected tools include:

  • Cursor and Cursor CLI
  • Gemini CLI
  • Windsurf
  • GitHub Copilot
  • Cline
  • OpenClaw, ZeroClaw, and NanoClaw

The scale of the threat extends beyond theoretical exploit paths. The research team analyzed 2.1 million generated URLs across 913 global brands.

MetricDetail
Discovery DateJuly 8, 2026
Attack NameHalluSquatting
Primary VectorsPyPI, npm, domain typosquatting
Impacted URLs13,000 confirmed malicious
Squattable Domains250,000 unregistered

Behavioral Exploitation in Autonomous Systems

Security experts categorize HalluSquatting as a behavioral exploit rather than a traditional software bug. The vulnerability exists because the models are functioning exactly as designed, attempting to provide helpful code snippets and dependencies. This presents a unique challenge for teams trying to evaluate and test AI agents before deployment, as the risk originates from the model’s structural design rather than a specific codebase flaw.

The disclosure highlights an escalating arms race in automated security. On the same day the HalluSquatting research surfaced, CISA began utilizing Anthropic’s Mythos model to scan federal software for vulnerabilities. The automation of both attack surface discovery and defensive scanning indicates a shift in how vulnerabilities are mapped and exploited.

If you manage autonomous agents or use AI coding assistants with terminal access, restrict their ability to install unverified packages. Implement strict allowlists for package registries and require human oversight for environment modifications and dependency updates.

Get Insanely Good at AI

Get Insanely Good at AI

The book for developers who want to understand how AI actually works. LLMs, prompt engineering, RAG, AI agents, and production systems.

Keep Reading