Researchers from Tel Aviv University, Technion, and Intuit published a paper on July 9 detailing a new class of cyberattack they’ve dubbed “HalluSquatting,” short for adversarial hallucination squatting. The technique weaponizes one of AI’s most well-known flaws: hallucinations, the tendency of large language models to confidently generate information that doesn’t exist.
How HalluSquatting works
When developers ask AI coding assistants to help install a software package or pull code from a GitHub repository, the model sometimes invents a package name that sounds right but doesn’t actually exist. But the researchers found that these hallucinated names are surprisingly predictable. Attackers can figure out which fake names an AI is likely to invent, register those names first, then stuff them with malicious code. When an AI agent later “hallucinates” that exact name and tries to download it, the developer unknowingly pulls in malware.
The success rates are genuinely alarming. Across various test scenarios, LLMs hallucinated incorrect repository names up to 85% of the time. For specific popular GitHub repositories assessed in 2025, the mean hallucination rate surpassed 92%. Some tests targeting particular skill installations hit a perfect 100% hallucination rate.
From annoying bug to agentic botnet
An earlier, simpler version of this attack called “slopsquatting” involved registering fake package names on platforms like PyPI and npm, hoping developers would accidentally type a wrong name. HalluSquatting is the evolution: instead of waiting for human typos, attackers exploit AI typos, which are far more predictable and scalable.
The real danger emerges with the rise of agentic AI, systems that don’t just suggest code but actually execute commands. Tools like GitHub Copilot and other AI coding assistants increasingly have terminal access, meaning they can install packages and run code without a human double-checking each step.
The paper’s full title tells you where the researchers think this is heading: “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting.” In simpler terms, they’re warning that compromised AI agents could be chained together into massive botnets, networks of hijacked machines controlled by attackers, all triggered through nothing more than predictable hallucinations.
Before publishing, the researchers responsibly disclosed their findings to affected vendors and model providers, redacting sensitive implementation details to prevent immediate exploitation.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

3 hours ago
18









English (US) ·