"Attacks always get better; they never get worse." That is how the researchers who disclosed HalluSquatting frame the risk — and their experiment shows exactly why: AIs that invent names, plus agents that fetch and run code with little human review, form a surprisingly efficient delivery mechanism for malware.
How HalluSquatting tricks assistants
HalluSquatting chains two consistent AI behaviors: hallucination and prompt injection. First, a model guessing at a repository or plugin name will invent a plausible but false identifier. Second, an attacker can claim that invented name on a public marketplace and embed adversarial instructions inside it. When an assistant fetches that named resource, the hidden content becomes input the agent reads; if the agent is allowed to run commands automatically, those instructions can make the assistant execute attacker-supplied code on the host.
The researchers lay out a repeatable four-step path: pick a trending target so the AI must guess; probe the model until it repeatedly gives the same invented name; register that name on GitHub or a plugin store and hide malicious instructions there; then wait for users to ask their assistants to fetch the trending resource so the assistant pulls the planted version instead.
Experiments and tools the team tested
The work comes from Aya Spira and colleagues in Ben Nassi's group at Tel Aviv University, with Stav Cohen at Technion and Ron Bitton at Intuit. In laboratory tests the fabricated names were not random: the same wrong name appeared across different phrasings and across models from different companies, reaching identical-name rates as high as 85% for repository requests and 100% for skill installs in the authors' reported peaks.
In those tests the researchers got assistants to run attacker-supplied payloads against tools including Cursor, Windsurf, GitHub Copilot, Cline, Google's Gemini CLI, and the OpenClaw family of assistants. The payloads used in the study were harmless placeholders; the path they exercised would be identical for live malware, the paper notes. The team informed affected vendors, model makers, and marketplace operators before going public and withheld the exact replication steps.
Why the researchers say this can build a botnet
Traditional botnets rely on weak credentials or worming exploits and tend to target homogeneous device types. HalluSquatting needs none of that: no password-crack, no network exploit, and no single device family. Because the delivery arrives as text the AI reads, it bypasses the kinds of firewall signatures that look for binary exploits. Once an assistant follows planted instructions and runs a command like "install a bot," that installed software behaves like any other botnet client.
That combination — a predictable hallucinated name, public marketplaces anyone can register names on, and an agent with permission to fetch and run — is the novel piece the researchers call out. The technique advances earlier tricks: slopsquatting (attackers registering fake package names) and phantom squatting (Palo Alto Networks' Unit 42 described roughly 250,000 hallucinated domains left unregistered). A recent example cited by the researchers: in January 2026, Aikido Security's Charlie Eriksen found a made-up npm package named react-codeshift already spread into 237 code projects before he registered it to prevent abuse.
Mitigations the authors and vendors point to
The core technical fix the researchers recommend is simple: force the assistant to look up a resource before it fetches. A real lookup anchors the agent in existing, resolvable sources and sharply reduces hallucination-driven mistakes. They also advise training the planner — the component that maps a user request into steps — to perform that lookup and to treat words such as clone, install, and fetch as flags that require verification.
Near-term operational protections are also practical. By default, many agents ask a human before running commands; the exposure comes from auto-run modes such as Claude Code's skip-permissions flag and Gemini CLI's yolo mode. The first rule for defenders is to avoid running agents unattended on anything they fetched. Some tools add inspection layers — the researchers cite Claude Code's auto mode and Gemini CLI's Conseca check — which reduce but do not eliminate risk. Platforms can limit repository-name reuse under new accounts and pre-register names AIs commonly invent so those names resolve to the real projects.
What this means for technologists, platforms, and end users
- Technologists and security teams: train planners to perform lookups, treat clone/install/fetch as verification-required flags, and avoid enabling auto-run modes that bypass permission prompts.
- Marketplace operators and platform owners: consider preventing reuse of well-known repository names, pre-registering predicted fake names, and tightening upload scanners — a relevant datapoint is Trail of Bits' June finding that malicious "skills" slipped past several store scanners in under an hour.
- End users and enterprises: treat any name an AI hands back as a guess, verify that a repository or package name resolves to the expected source before an agent pulls it, and do not permit unattended agents to run fetched code.
The researchers call their findings a lower bound: the attack is straightforward to improve and adapts as agents and marketplaces evolve. They also made a deliberate disclosure choice — notifying affected parties and withholding replication detail — underscoring that the vulnerability is not a single patch but a design gap where agents trust names they were never actually given.




