New HalluSquatting Attack Allows Hackers to Poison AI Coding Assistants Into Installing Botnet Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly disclosed attack technique dubbed “HalluSquatting” is raising serious concerns in the cybersecurity community after researchers demonstrated how AI coding assistants can be manipulated into installing botnet malware through hallucinated resources.

The research, conducted by Aya Spira, Stav Cohen, Elad Feldman, Ron Bitton, Avishai Wool, and Ben Nassi from Tel Aviv University, Technion, and Intuit, reveals a novel exploitation path targeting agentic large language model (LLM) applications.

These systems, widely used in tools such as GitHub Copilot, Cursor, and other AI-powered coding assistants, are increasingly integrated with external resources like repositories and plugins, creating a new attack surface.

Unlike traditional prompt injection attacks that rely on direct interaction channels such as emails or messages, HalluSquatting operates without any direct access to the target.

Instead, it exploits a well-known limitation of LLMs: their tendency to hallucinate or generate incorrect resource identifiers when responding to user requests.

HalluSquatting Attack Poisons AI Coding Assistants

In this attack, threat actors first analyze trending repositories, tools, or skills that developers commonly reference. They then probe LLM systems to identify likely hallucinated names that the models may generate when asked to retrieve or install such resources.

Once identified, attackers preemptively register these fake resources and embed malicious instructions within them.

When a developer later prompts an AI assistant to perform a task such as cloning a repository or installing a package, the LLM may hallucinate the attacker-controlled resource instead of the legitimate one.

Attack Model ( source : Google)
Attack Model (source: Tel Aviv University Research)

The AI agent then retrieves this malicious resource, unknowingly introducing adversarial instructions into its execution flow.

This leads to what researchers describe as “promptware,” where the poisoned context triggers the AI system to execute attacker-defined commands.

The consequences can be severe. In tested scenarios, the attack enabled remote code and tool execution across multiple platforms, effectively allowing attackers to install malware on users’ systems.

The researchers demonstrated that this technique could be scaled to create a botnet, with compromised devices remotely controllable after infection.

One of the most concerning findings is the high rate of hallucination across different systems. The study observed hallucination rates of up to 85 percent in repository cloning tasks and up to 100 percent in certain skill installation scenarios.

Additionally, these hallucinations were found to be transferable across different LLM models and applications, significantly increasing the attack’s reach.

The researchers emphasize that HalluSquatting fundamentally changes the economics of supply chain attacks. Traditionally, attackers had to compromise either highly popular resources, which is difficult, or obscure ones, which offer limited impact.

By targeting hallucinated identifiers instead, attackers can reliably position their malicious resources where AI systems are likely to look, dramatically increasing the likelihood of compromise. Despite the severity of the findings, the research team followed responsible disclosure practices.

Researchers notified affected vendors, foundation model providers, and platform maintainers before publication. The researchers withheld sensitive implementation details to reduce the risk of misuse and applied technical safeguards during their experiments.

The study highlights the urgent need for stronger validation mechanisms in AI-driven development tools. As agentic AI systems continue to automate coding and system operations, ensuring the integrity of external resources becomes critical.

Without proper safeguards, these tools could inadvertently become a new vector for large-scale malware distribution and botnet formation.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide

The post New HalluSquatting Attack Allows Hackers to Poison AI Coding Assistants Into Installing Botnet Malware appeared first on Cyber Security News.