1. Reconnaissance: the attacker mass-queries LLMs (e.g. GPT-5.1, Claude, Gemini), asking for package recommendations, repo cloning, plugin installations. They collect a list of hallucinated, non-existent names. Hallucination rates reach 85% for repo-cloning and 100% for skill installations. 2. Transferability check: the attacker verifies that the same names hallucinate across different foundation models — one squat = many assistants. 3. Squatting: the attacker registers those names on PyPI, npm, GitHub, etc. with a malicious payload (install script, backdoor, downloader). 4. Trap: when someone asks an AI assistant for a 'popular library for X', the assistant hallucinates the trap name and invokes pip install / git clone / plugin install in the built-in terminal. 5. Execution: the payload runs with the user's or agent's privileges. It can install malware, add the host to an 'agentic' botnet, exfiltrate data, establish persistence. 6. Scaling: each independent user query is an independent infection event. The botnet grows proportionally to the assistant's user base.
HalluSquatting does NOT solve a problem — it IS an attack. It does solve the ATTACKER'S problem: how to reach developer machines without known vulnerabilities, without lateral movement, and without a direct communication channel to the victim. Answer: let the LLM itself lead the victim to the malicious package.
Systematic model probing that logs the returned, non-existent package/repo/skill names. Typically in a scaled pipeline with thousands of prompt variants.
Official
Verifies that the same hallucinated names recur across different foundation-model families (GPT, Claude, Gemini, Llama, etc.). Determines the 'ROI' of a squat.
Official
Publishing packages/repos under the hallucinated names to public registries (PyPI, npm, GitHub, Hugging Face). The payload is usually embedded in a post-install script or in a README with instructions to execute.
Code executed after the assistant fetches it: backdoor, downloader for further malware, code that adds the host to a botnet, exfiltration scripts. Can leverage the assistant's terminal privileges.
Official
The actual infection vector: an AI assistant (Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, OpenClaw, Claude Code) runs the fetched package in its built-in terminal as part of the developer's normal workflow.
The developer accepts 'pip install' or 'git clone' suggested by the assistant without verifying the package's existence and reputation in the official registry.
The built-in Cursor/Windsurf/OpenClaw terminal by default runs commands as the current user, with access to secrets, SSH keys, and CI tokens. A compromise = a developer compromise.
Without an internal registry of approved packages (PyPI proxy, GitHub private registry), the assistant can fetch any public package.
Switching models (e.g. GPT-5.1 → Claude) does NOT protect — the same hallucinated names recur across different vendors.
Researchers (including Lasso Security, Vulcan) document that popular LLMs regularly invent non-existent package names in code recommendations. Early work warns of a possible typosquatting-analogous risk.
A team from Tel Aviv University + Technion + Intuit publishes on July 10, 2026 a full 'adversarial hallucination squatting' framework. Hallucination rates: 85% (repo cloning), 100% (skill installation). Key finding: transferability across different foundation models. Goal: agentic botnets. Vendors were notified before publication; exploit details withheld.
How many different prompts the attacker sends to discover hallucinated names. Higher number → larger hallucination corpus → more squats.
Which public registries are the squatting target (PyPI, npm, GitHub, Hugging Face, VS Code Marketplace, MCP servers). Widening the scope grows the attack surface.
When the malicious code activates: post-install script (immediately after installation), import time (on first import), scheduled (delayed trigger to evade sandbox detection).
HalluSquatting is a software-layer attack on AI-tool orchestration. It does not depend on any particular CPU or accelerator.