New HalluSquatting Attack Could Turn AI Coding Assistants Into Massive Botnets
Key Takeaways
- ▸HalluSquatting is a novel pull-based prompt injection attack that scales to massive device compromises by leveraging AI agents' hallucination of resource identifiers in code repositories
- ▸Nine popular AI coding assistants are vulnerable, with GitHub Copilot, Google Gemini CLI, and Cursor among the most widely used affected tools
- ▸The attack enables large-scale device compromise for ransomware distribution, botnet formation, and DDoS campaigns—capabilities that were not previously possible with prompt injection attacks
Summary
Security researchers have discovered a scalable new attack called HalluSquatting that exploits AI coding assistants' tendency to hallucinate resource identifiers. Unlike previous prompt injection attacks that target individual users, this pull-based attack can compromise massive numbers of devices without targeting each one individually. By predicting resource names that AI agents are likely to hallucinate and registering those names with malicious payloads, attackers can indiscriminately distribute reverse shells and malware across systems when vulnerable applications retrieve them from repositories and registries.
The attack affects nine popular AI coding tools and agents, including GitHub Copilot, Google's Gemini CLI, Cursor, Windsurf, Cline, OpenClaw, ZeroClaw, and NanoClaw. These applications routinely pull code and resources from repositories at high privilege levels, providing attackers with the ability to execute arbitrary commands on compromised systems. The research, published this week, demonstrates how the attack mirrors traditional typosquatting techniques but applies them to the hallucinated outputs of large language models.
HalluSquatting represents the first prompt injection attack capable of achieving true botnet-scale distribution. With access to compromised devices, attackers could launch large-scale ransomware campaigns, coordinate DDoS attacks, or operate cryptocurrency mining operations—objectives that were previously impossible with targeted prompt injection approaches. The attack exploits the integrated shells and terminal access available in agentic AI applications.
- Traditional guardrails and mitigations are insufficient; the vulnerability stems from fundamental limitations in how LLMs distinguish between trusted and untrusted sources
Editorial Opinion
HalluSquatting exposes a critical vulnerability in how AI coding agents operate at scale. The ability to weaponize hallucinations into supply chain attacks demonstrates that guardrails alone cannot solve prompt injection threats—the root cause lies in LLMs' inability to distinguish trusted from untrusted instructions. Until vendors implement robust architectural defenses and developers restrict repository access in sensitive environments, organizations should treat AI-assisted code execution as a significant security risk.


