Robots Atlas>ROBOTS ATLAS
Artificial Intelligence

HalluSquatting: turning LLM hallucinations into botnets

HalluSquatting: turning LLM hallucinations into botnets

A team of researchers from Tel Aviv University, Technion, and Intuit detailed a new attack named HalluSquatting in a paper published July 8, 2026. It exploits the inherent tendency of large language models to hallucinate repository and package identifiers. It is the first prompt-injection-class attack that genuinely scales to mass device compromise — with the potential to build botnets and run ransomware campaigns.

Key takeaways

  • HalluSquatting (adversarial hallucination squatting) works against coding agents and assistants: Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw.
  • When cloning a popular repository, LLMs hallucinate its location up to 85% of the time — and up to 100% for trending "skills".
  • Models mis-resolve pre-2019 repositories a mean 0.9% of the time — for 2025 repositories the hallucination rate rises to 92.4%.
  • The flaw exists at the foundational level in six major models: Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5, and Opus-4.5.
  • The attack goal: mass installation of reverse shells, then botnets for DDoS or crypto mining and ransomware campaigns.

How the attack works

The starting point is that an LLM cannot say "I don’t know." When a developer tells an agent to clone a repository or install a "skill" — a script or resource that gives an agent specialized capabilities — the model fabricates an address rather than admit it does not know it. HalluSquatting exploits this in three steps:

  1. predict which nonexistent names the model will most often fabricate.
  2. register those names.
  3. plant in them an instruction to install a reverse shell, or the malicious code itself.

The key point is that the hallucinations are predictable. All six studied models follow the same patterns when resolving names. The pattern HalluSquatting uses is what the researchers call self-referential — models produce a slug shaped as repo-name/repo-name, treating the repository name as its owner. Exploiting this scheme does not even require probing the model — the attacker knows in advance which names to register.

The effect is the inverse of prior attacks. Classic prompt injections were "push" — each victim had to be targeted individually, e.g. by injecting an instruction into an email. HalluSquatting is "pull" and scales without targeting single victims. Coding agents routinely pull code from repositories and have high-privilege terminal access, so a single registered, fabricated repository can infect many independent installations at once.

An echo of typosquatting, but more dangerous

The name nods to typosquatting, where an address or package impersonates a popular one, banking on a user’s mistake. The phenomenon gained attention in 2016 when a student uploaded 214 booby-trapped packages to PyPI, RubyGems, and NPM — they were executed more than 45,000 times across more than 17,000 domains, and over half were granted full administrative rights. The difference is that typosquatting relies on a human typo, while HalluSquatting relies on a predictable machine error — which makes it far more scalable.

The attack is already drawing interest.

"This is very cool research, and the threat is very real." — Michael Bargury, CTO of security firm Zenity.

Bargury added that, like typosquatting, the problem will not go away and that we should assume agents will be fooled. Independent researcher Johann Rehberger noted that a model’s name-resolution procedure itself becomes an attack path, and an attacker can probe models beforehand to find the names most likely to be hallucinated.

Why it matters

HalluSquatting moves hallucination from the "annoying quality bug" category into the "internet-scale attack vector" category. The industry has largely treated fabricated answers as a trust problem — here they turn into a direct security threat. The most dangerous aspect is that the attack requires no model jailbreaking or guardrail bypass — it exploits the model’s normal, expected behavior. The rising hallucination rate for the newest repositories (92.4% for 2025 versus 0.9% pre-2019) means the fresher and more popular the resource, the higher the risk. This strikes at the very promise of coding agents: autonomously pulling and running code without human oversight becomes exactly what makes them vulnerable. Until models learn to say "I don’t know," the burden of verifying every address falls back on the user — undermining some of the advertised time savings.

What's next?

  • The research paper is already public — agent vendors (Cursor, GitHub Copilot, Gemini CLI, and others named) will need to add source verification for resources.
  • The attack exploits foundational-level behavior in six major models — mitigation requires changes in the name-resolution layer itself, not just application guardrails.
  • Identified risks: ransomware campaigns and botnets for DDoS and crypto mining — real-world use will test the effectiveness of defenses.

Sources

Share this article