“HalluSquatting” weaponizes LLMs’ inability to say “I don’t know.”
In the evolving landscape of AI security, prompt injection has emerged as the foremost threat, exploiting large language models' (LLMs) inherent difficulty in distinguishing between legitimate user instructions and malicious commands embedded in various content. This vulnerability allows for the surreptitious injection of harmful directives that LLMs readily execute. Historically, most prompt injections have been 'push-based,' targeting individual victims and thus limiting the scale of attacks. Conversely, 'pull-based' attacks, where LLMs actively seek out and process adversarial prompts from external sources, have been less effective due to the challenge of luring a significant number of LLMs to malicious sites, thereby hindering mass exploitation.
Researchers have developed a new, scalable pull-based attack called 'HalluSquatting,' which drastically alters the landscape of AI security. This attack targets nine popular AI coding assistants and agents, including Cursor, GitHub Copilot, and Gemini CLI, making them susceptible to forming massive botnets, performing large-scale Distributed Denial of Service (DDoS) attacks, and infecting devices at scale. HalluSquatting leverages an LLM's tendency to 'hallucinate' resource identifiers when these agents routinely pull code and other resources from online repositories and registries. By predicting the resource identifiers LLMs are most likely to hallucinate, attackers can register these squatting names and embed malicious instructions (e.g., to install reverse shells) within them. This allows for indiscriminate infection of numerous devices without individual targeting, echoing the concept of 'typosquatting' which has historically led to widespread compromise through mimicking legitimate package names in code repositories. This method enables novel, large-scale malicious objectives previously unattainable with prompt injections, such as extensive ransomware campaigns or cryptocurrency mining.
The fundamental flaw that HalluSquatting exploits is the LLMs' inability to accurately identify the correct location of user-specified resources. For instance, when a developer instructs a coding agent to clone a new or trending repository, the LLM hallucinates the correct location up to 85% of the time, a figure that can reach 100% for trending 'skills.' This inherent tendency to fabricate incorrect locations stems from training biases or misinterpretations of instructions within the current context. Crucially, researchers found that the most common incorrect locations hallucinated by six major LLMs (Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5, and Opus-4.5) follow predictable 'self-referential' patterns, such as 'repo-name/repo-name' slugs. This predictability allows attackers to register these hallucinated names. While repositories published before 2019 had a low mean hallucination rate (0.9%), those from 2025 exhibited a startling 92.4% rate. Once attackers register these predicted names with malicious content, such as instructions to install a reverse shell in a readme file, the coding assistants or agents readily comply using their access to command windows, thereby compromising the user's machine.
The research, conducted by Aya Spira, Elad Feldman, Avishai Wool, Ben Nassi, Stav Cohen, and Ron Bitton, highlights HalluSquatting's potential for widespread exploitation. By leveraging the integrated shells and terminals of agentic applications to run scripts and code, attackers can efficiently 'infect' a vast number of independent AI applications. This large-scale access to distributed computational resources opens doors to high-impact malicious outcomes, including scaling ransomware attacks, establishing massive botnets for cryptocurrency mining (e.g., Smominru, WannaMine), or executing Distributed Denial of Service (DDoS) attacks (e.g., Mirai). Industry experts like Michael Bargury and Johann Rehberger confirm the severity and persistence of this threat, comparing it to typosquatting and emphasizing the necessity of designing resilient systems. The findings serve as a stark reminder that the acclaimed efficiencies of AI platforms are often exaggerated, and users must diligently verify resource details to avoid the potentially dire and unintended consequences of over-reliance on AI assistants.