Security researchers from Tel Aviv University, Technion, and Intuit published a technique on Wednesday that turns AI coding agents into botnet nodes by exploiting their tendency to hallucinate package and repository names. The attack, called HalluSquatting, affects nine widely deployed agents: Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw.

How It Works

The attack exploits a structural weakness in how LLMs resolve resource names. When a developer asks a coding agent to clone a repository or install a skill, the underlying model frequently fabricates the correct location. According to the research paper, hallucination rates reach 85% for repository cloning and 100% for skill installation. Repositories published before 2019 get hallucinated at a mean rate of 0.9%. For repositories published in 2025, that rate jumps to 92.4%.

The pattern is predictable. All six foundational LLMs tested (Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5, and Opus-4.5) follow common hallucination patterns when resolving names. The most frequent pattern is self-referential: models produce repo-name/repo-name slugs, treating the repository name as its own owner. No model probing is required to exploit this.

An attacker identifies trending repositories or skills, queries LLMs to map the distribution of hallucinated names, then registers the most likely candidates on GitHub, npm, or skill repositories. Inside the squatted resource, the attacker embeds instructions for the agent to install a reverse shell or execute malicious code. Because coding agents have access to command-line terminals, they comply.

From Prompt Injection to Botnet

As Ars Technica reported, HalluSquatting represents a qualitative shift in prompt injection attacks. Prior prompt injections were either “push-based” (injecting malicious instructions into individual emails or calendar invitations, limiting scale) or “pull-based” but unscalable (requiring luring specific LLMs to malicious websites).

HalluSquatting is pull-based and scalable. Agents actively seek out the squatted resources during normal operation, without the attacker needing to target individual victims. The researchers wrote that this “enables the attacker to compromise a large number of users with minimal effort by targeting popular resources, thereby maximizing the likelihood that the squatted resource will be retrieved.”

The practical outcomes include large-scale ransomware campaigns, DDoS botnets, and cryptocurrency mining operations across distributed compromised machines.

Connection to Real-World Supply Chain Attacks

The technique is not theoretical in isolation. The typosquatting attack vector that HalluSquatting builds on has been active for a decade. In 2016, a college student uploaded 214 booby-trapped packages to PyPI, RubyGems, and npm that were executed more than 45,000 times on 17,000 domains. More recently, North Korea’s Sapphire Sleet threat actor hijacked a Mastra AI maintainer’s npm account in June 2026, publishing 140+ packages with a malicious dependency called “easy-day-js” in a 19-minute window.

HalluSquatting adds a new dimension: attackers no longer need to trick humans into installing malicious packages. The agents do it themselves, hallucinating their way to attacker-controlled resources without any social engineering.

Mitigations and Responsible Disclosure

The researchers responsibly disclosed findings to affected application vendors, foundation model providers, and marketplace maintainers before publication. They redacted implementation details that could facilitate direct exploitation.

For teams deploying coding agents in production, the attack surface is the gap between what an agent thinks a resource is called and what it is actually called. Package signing, dependency pinning, allowlists for approved registries, and tool approval workflows that require human confirmation before installing unfamiliar packages all reduce exposure. The deeper fix requires LLMs to decline rather than guess when they cannot verify a resource’s location, a capability none of the six tested models currently demonstrate.