HalluSquatting attack exploits AI hallucinations to build massive botnets and launch DDoS campaigns

Reviewed byNidhi Govil

2 Sources

Share

Researchers have uncovered HalluSquatting, a new AI security threat that exploits how Large Language Models hallucinate fake domains and package names. Hackers register these AI-generated identifiers to deploy malware at scale. Palo Alto Networks' Unit 42 discovered over 13,000 malicious URLs and 250,000 unregistered domains that could be weaponized, affecting popular AI coding assistants including GitHub Copilot, Cursor, and Gemini CLI.

Hackers Exploit AI-Generated Fake Domains to Build Massive Botnets

A novel AI security threat called HalluSquatting is enabling attackers to assemble massive botnets and launch large-scale attacks by exploiting a fundamental flaw in how Large Language Models operate

1

. The attack method leverages the inherent tendency of LLMs to hallucinate resource identifiers—inventing plausible-sounding domains, repository names, and package locations that don't actually exist. By predicting and registering these hallucinated resource identifiers before legitimate users encounter them, hackers can distribute malware to AI coding assistants at an unprecedented scale

1

.

Source: Ars Technica

Source: Ars Technica

Researchers analyzing this AI-driven security threat found that nine popular AI tools are vulnerable, including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw

1

. These assistants routinely pull code and resources from repositories during normal operations, making them prime targets. The attack represents a shift from traditional "push-based" prompt injections that require targeting individual victims to a scalable "pull-based" approach where the malicious payload waits to be discovered.

Palo Alto Networks Uncovers Alarming Scale of Threat

Palo Alto Networks' Unit 42 research team conducted extensive analysis that reveals the massive scope of this vulnerability

2

. Examining 2.1 million URLs generated by two large language models across 913 global brands, Unit 42 identified more than 13,000 confirmed malicious URLs already registered by attackers

2

. Even more concerning, researchers discovered approximately 250,000 hallucinated domains that remain unregistered—each representing a potential entry point for phishing, credential theft, malware delivery, or supply-chain attacks

2

.

The research demonstrates that different models frequently hallucinate identical names, amplifying the threat. A single malicious registration can intercept traffic from multiple developer tools and customer-facing chatbots simultaneously

2

. In one documented case, a coding assistant actively helped assemble a phishing kit on a predicted phantom domain, illustrating how AI systems can unknowingly become accomplices in their own compromise.

How HalluSquatting Enables Large-Scale Attacks

The attack builds on the concept of typosquatting, which first gained widespread attention in 2016 when booby-trapped packages uploaded to PyPI, RubyGems, and NPM repositories executed more than 45,000 times across 17,000 domains

1

. HalluSquatting takes this further by exploiting LLMs' inability to accurately identify resource locations. When developers instruct coding agents to clone popular repositories, the LLM hallucinates the correct location up to 85 percent of the time, and when cloning trending "skills"—specialized capabilities for agents—hallucinations can occur 100 percent of the time

1

.

By embedding instructions to install reverse shells in registered malicious resources, attackers can effectively "infect" independent agentic applications at scale

1

. This scalable property enables compromising large numbers of users with minimal effort by targeting popular resources. The ability to take control of distributed devices opens possibilities for objectives not previously achievable with prompt injections, including large ransomware campaigns, botnets for DDoS attacks, and cryptocurrency mining operations

1

.

Rising Threat Landscape Demands Vigilance

Public forecasts project machine-learning-driven cyberattacks will exceed 28 million in 2025, with reports indicating 35 percent of botnet operations already use ML to evade detection

2

. While HalluSquatting hasn't yet produced massive botnets by itself, the foundational vulnerability creates significant risk for organizations relying on AI coding assistants. The flaw stems from training biases and misinterpretations within the current context—an inherent limitation that can't be easily patched

1

.

With no way to enforce boundaries between trusted and untrusted sources, AI engine developers must erect elaborate guardrails designed to mitigate damage rather than solve the root cause

1

. Unit 42's guidance emphasizes the need for AI-generated content verification: verify generated domains, packages, remediation steps, and any link before trusting it

2

. Organizations should watch for automated workflows that trust AI-generated links without validation and implement manual verification steps for critical resources. As AI assistants become embedded in development pipelines, the potential for supply-chain attacks grows, making this an issue that demands immediate attention from security teams and developers alike.🟡.*

Today's Top Stories

© 2026 TheOutpost.AI All rights reserved