What is HalluSquatting?
Could the hallucinations your AI assistant experiences be more than just wrong answers? A new research paper from Tel Aviv University, Technion, and Intuit suggests they could actually be a security vulnerability that hackers can exploit to take over computers. The paper is titled “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting.”
The core idea behind the attack is simple, though the execution is clever. Researchers describe a technique they call “adversarial hallucination squatting,” or HalluSquatting for short. When an AI model generates a response, it sometimes invents links to software repositories or other online resources that don’t actually exist. Hackers can predict which fake resources the model might create, register those names for themselves, and then add malicious instructions to those resources. Later, when the AI agent retrieves that hallucinated resource, it will treat the attacker-controlled content as legitimate and act on it. This could mean downloading malicious code, executing commands, or leaking data.
AI agents are the new target
The threat becomes real as AI assistants evolve from simple chatbots into agents that can interact directly with your computer. These agents can access files, search the web, write code, and run commands. That’s where the security gap appears. They often act on information they retrieve without double-checking whether the source is real. “The growing adoption of agentic LLM applications has introduced a new threat previously named as promptware,” the researchers wrote in their paper. They noted that while previous work focused on direct channels for prompt injection, many applications don’t provide those direct channels, making HalluSquatting a more accessible attack vector.
Testing and real-world implications
In testing, the team found that AI-generated resource hallucinations occurred at alarmingly high rates. In repository cloning scenarios, the rate reached as high as 85 percent. In skill installation tests, it hit 100 percent. They evaluated the technique against several popular AI coding assistants and agents, including Cursor, GitHub Copilot, Gemini CLI, and OpenClaw. The researchers warned that this technique could allow attackers to build AI-enabled botnets. A botnet is a network of infected computers controlled remotely by an attacker, commonly used for denial-of-service attacks, cryptocurrency mining, malware distribution, and ransomware campaigns. If you’re familiar with typosquatting, this is a similar concept. In typosquatting, attackers register domain names that look like legitimate websites or software packages, hoping people will make a typing mistake. HalluSquatting targets the mistakes made by AI models instead.
Growing concerns around AI security
This research builds on other recent work. In April, Google researchers detailed malicious websites designed to hijack AI agents through indirect prompt injection attacks. Those attacks attempted to steal passwords, delete files, and manipulate payments. Another study on something called the “CopyPasta” attack showed how hidden prompts inside developer files could manipulate AI coding assistants into spreading malicious code. In June, an OpenClaw user reported facing more than 6,000 attempts from attackers trying to trick the AI agent into leaking sensitive information. The recurring theme is that as AI gains more control over our systems, attackers are finding creative ways to exploit those connections. The hallucinations we often laugh off might be the very thing that gives hackers a foothold. Perhaps it’s worth being a little more cautious about what our AI assistants tell us.
