Skip to content
Safety · Jul 8, 2026

Researchers demonstrate new prompt-injection attack that exploits LLM hallucinations to build botnets at scale

HalluSquatting attack leverages predictable hallucination patterns in coding assistants and agents to register malicious repositories, enabling large-scale device compromise.

Trust79
HypeLow hype

1 source · cross-referenced

ShareXLinkedInEmail
TL;DR
  • Nine popular AI coding assistants and agents are vulnerable to a new pull-based prompt-injection attack named HalluSquatting.
  • The attack exploits LLMs' tendency to hallucinate repository identifiers, with hallucination rates up to 85% for repositories and 100% for trending skills.
  • Researchers registered malicious repositories matching predictable hallucination patterns to deliver reverse shells without targeting individual victims.
  • The scalable attack could enable large botnets, DDoS campaigns, ransomware, or cryptocurrency mining at scale.

A team of security researchers has demonstrated a new class of prompt-injection attack called HalluSquatting that exploits the inability of large language models (LLMs) to accurately locate resources, such as repositories or skills, specified in user prompts.

The attack targets AI coding assistants and agents—including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw—which routinely pull code and other resources from repositories and registries during normal operation. By registering malicious repositories that match predictable hallucination patterns produced by LLMs, attackers can deliver reverse shells or other malicious payloads to a large number of devices simultaneously, without having to target each victim individually.

The researchers found that LLMs hallucinate repository locations at high rates: up to 85% of the time when cloning repositories and 100% of the time when installing trending skills. These hallucinations are not random; they follow consistent, predictable patterns across multiple leading models, including Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5, and Opus-4.5. In particular, the team identified a self-referential pattern where models frequently generate repository identifiers in the form of repo-name/repo-name, treating the repository name as the owner.

To weaponize these hallucinations, the researchers registered repositories matching the most commonly hallucinated patterns for popular targets. These malicious repositories contained instructions to install reverse shells, which were then executed by the agentic applications when they pulled the squatted resources. Because the attack relies on LLMs retrieving the squatted resources during routine operations, it scales indiscriminately, enabling attackers to compromise large numbers of devices with minimal effort.

The researchers warn that HalluSquatting could enable a range of large-scale attacks, including botnets for DDoS or cryptocurrency mining, and ransomware campaigns, all without the need for traditional push-based targeting. They note that the attack is a first for prompt-injection techniques, which have historically been limited in scale by the need to target individual victims.

The work also draws a parallel to typosquatting, a long-standing attack in which adversaries register resources with names similar to popular ones to lure users. HalluSquatting adapts this concept to the context of LLM hallucinations, where the adversary exploits predictable errors in resource resolution rather than typographical closeness.

Sources
  1. 01Ars Technica — Technology LabHackers can use 9 of the most popular AI tools to assemble massive botnets
Also on Safety

Stories may contain errors. Dispatch is assembled with AI assistance and curated by human editors; despite the trust-score filter, mistakes happen. We correct publicly — every article links to its revision history. Nothing here is financial, legal, or medical advice. Verify before relying on any claim.

© 2026 Dispatch. No ads. No sponsorships. No paid placement. Reader-supported via Ko-fi.

Built by a person who cares about honest AI news.