2 Sources
[1]
Hackers can use 9 of the most popular AI tools to assemble massive botnets
In the brief history of AI security, the prompt injection has quickly become the top threat. Large language models are inherently unable to distinguish between legitimate instructions provided by users and malicious ones sneaked into emails, source code, and other third-party content the models are processing. This makes it trivial to surreptitiously inject malicious commands that the LLM readily follows. With no way to enforce this crucial boundary between trusted and untrusted sources, AI engine developers are left to erect elaborate guardrails designed to mitigate the damage rather than solve the root cause. To date, most prompt injections have fallen into a class known as push, in which each potential victim is targeted. For example, the adversary injects malicious instructions into an individual email or calendar invitation. Because the injection must then be sent (or pushed) to each specific target, the scale of the attack is limited, hampering mass exploits that hit the Internet at large. Meanwhile, pull-based attacks, in which an LLM actively seeks out the adversarial prompts planted on websites, remain limited. With no way to lure large numbers of LLMs to a malicious site, these sorts of attacks don't scale either. Enter HalluSquatting Now, researchers have devised a pull-based attack that changes all that. A new attack the researchers have named HalluSquatting has the potential to assemble massive botnets, perform large-scale DDoSes, and infect devices at scale, a first for prompt-injection attacks. The attack works against AI coding assistants and agents, including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw, which are all susceptible. In the normal course of performing day-to-day activities, these assistants and agents routinely pull code and other resources from repositories and registries. Short for adversarial hallucination squatting, HalluSquatting is built on an LLM's inherent tendency to hallucinate the resource identifiers hosted in repositories and registries. It works against coding agents and assistants, which commonly access high-privilege command lines to run code from third-party resources. By predicting the identifiers LLMs are most likely to hallucinate and then registering and seeding them with instructions to install reverse shells or other malicious wares, the attack can indiscriminately infect massive numbers of devices without having to target each one. "The scalable property of the attack enables the attacker to compromise a large number of users with minimal effort by targeting popular resources, thereby maximizing the likelihood that the squatted resource will be retrieved," the researchers wrote in a paper published Wednesday. "By exploiting integrated shells and terminals of agentic applications to run scripts and code, attackers can effectively 'infect' many independent agentic applications by embedding instructions to install reverse shells in the resources the attackers register." With the ability to take control of distributed devices at scale, HalluSquatting has the potential to achieve various objectives not previously possible with prompt injections. Large ransomware campaigns and large botnets for use in DDoSes or cryptocurrency mining are two such examples. The "squatting" part of the name is an invocation of "typosquatting," in which a domain, repository package, or other resource identifier closely mimics the name of a popular one in hopes of luring potential users to visit or install it. Typosquatting first gained widespread attention in 2016 when a college student uploaded 214 booby-trapped packages to the PyPI, RubyGems, and NPM repositories that closely mimicked names of legitimate packages. The result: The imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half were given all-powerful administrative rights. Typosquatting attacks have flourished ever since. LLMs don't know how to say "I don't know." The starting point for HalluSquatting is the inability of LLMs to accurately identify the location of a resource specified by the user. When a developer, for instance, instructs a coding agent to clone a popular new repository, the LLM hallucinates its correct location up to 85 percent of the time. When cloning a trending "skill," a form of instruction, script, or resource that gives agents specialized capabilities and domain expertise, hallucinations can occur 100 percent of the time. HalluSquatting focuses on trending resources because they aren't included in the LLM training. They also receive large numbers of downloads over a short period of time. The researchers say the inability of LLMs to provide the correct location is an inherent flaw that arises from training biases or from misinterpretations of instructions within the current context. That means when a user prompts the coding assistant to clone a repository or skill -- in the form of, say, "clone repo name" or "install skill name" -- the bot frequently navigates to the wrong location to retrieve it. Not only are these hallucinations inevitable, but they also occur at the foundational level of all six of the major LLMs, including Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5, and Opus-4.5. Additionally, the most commonly provided incorrect locations that these LLMs hallucinate are easy to predict in advance. All six LLMs follow common patterns when resolving the repository or skill name in a prompt with its official name in a repository or skill repository. LLMs follow various hallucination patterns. The one HalluSquatting exploits is described as being self-referential. All six models produce repo-name/repo-name slugs that treat a repository name as the owner. Exploiting the pattern requires no model probing. Interestingly, the LLMs correctly resolve repositories published before 2019 with a low mean hallucination rate of just 0.9 percent. The same LLMs fabricate slugs for repositories published in 2025 with a mean hallucination rate of 92.4 percent. Once an attacker has identified names that are most likely to be hallucinated, they search for ones that can be registered. Then they upload a repository or skill that mimics the trending resource. Buried inside the repository or skill is text inside a readme file or elsewhere. The text contains an instruction for the app to install a reverse shell on the LLM user's machine. Alternatively, the attacker can simply include the code required to install the shell. In either case, the coding assistants or agents use their access to command windows to comply. Exploiting LLMs at scale The researchers are: Aya Spira, Elad Feldman, Avishai Wool, and Ben Nassi of Tel Aviv University, Stav Cohen of Technion, and Ron Bitton of Intuit. On Wednesday, they published their research here. In their paper, they wrote: By exploiting integrated shells and terminals of agentic applications to run scripts and code, attackers can effectively "infect" many independent agentic applications by embedding instructions to install reverse shells in the resources the attackers register. Gaining access to distributed computational resources under attacker control opens the door to several high impact outcomes allowing attackers to achieve various goals. For example, having the ability to compromise LLM applications with terminals allows the attacker to scale the number of ransomware attacks on different networks to maximize financial gain. Alternatively, attackers can aggregate compromised machines into a botnet and use it for tasks that rely on substantial computing power, including (1) large-scale cryptocurrency mining (e.g., Smominru, WannaMine) or (2) performing distributed denial of service (DDoS) attacks against victims (e.g., Mirai). HalluSquatting is already receiving interest from fellow AI security researchers not involved in the study. "This is very cool research, and the threat is very real," Michael Bargury, CTO of security firm Zenity, wrote in an email. "Like typosquatting, it's a problem that's not going away. At the end of the day, it's about the level of agency we allow our agents. They *are* going to get fooled one way or the other. That should be our assumption, and we should be resilient to that." Independent researcher Johann Rehberger wrote: What's interesting is that it shows that LLM resource resolution can become an attack path and an attacker can first probe models to find high-probability hallucinated candidates (like repo names, skill identifiers,etc) to squat and wait for agents to resolve and use them. But the main point is that they found a cool technique to find resource names that are more likely by models to be used/confused with. And that could mean many agents falling for such attacks in the wild. AI tool makers frequently exaggerate the convenience and efficiency of their platforms. Marketers claim the platforms lighten workflows by automating and streamlining tedious tasks. They are much more reticent about the inherent flaws that can torpedo an entire project. Attacks like HalluSquatting provide a potent reminder that some of the efficiencies are exaggerated since, at the end of the day, users must double-check details such as the location for each resource incorporated into a project. It also provides a cautionary lesson on the unintended and potentially dire outcomes that can result when people rely too heavily on AI assistants.
[2]
Palo Alto Networks flags HalluSquatting: hackers register fake AI-made web addresses
Researchers found 13,000 malicious URLs and 250,000 unregistered domains Palo Alto Networks' Unit 42 is warning about a chatbot security problem that's gaining ground: HalluSquatting. AI systems are making up domains, download links, and package names, and attackers can move first by registering them. Unit 42 researchers say the play is pretty simple. When a model invents a website or software package that sounds plausible, criminals can turn that fake asset into phishing pages, credential theft, malware delivery, or supply-chain attacks. The risk gets higher when people copy and paste generated links, or when automated workflows trust them without checking. In its analysis, Palo Alto Networks' Unit 42 looked at 2.1 million URLs generated by two large language models across 913 global brands. The team found more than 13,000 confirmed malicious URLs, plus roughly 250,000 hallucinated domains that were still unregistered. What makes the problem hard in practice, Unit 42 says, is that different models often hallucinate the same names. One malicious registration can pull in traffic from developer tools and customer-facing chatbots across a lot of different places. In one documented case the team cited, a coding assistant even helped put together a phishing kit on a predicted phantom domain. If you use AI tools often, this isn't something to shrug off. Public forecasts now put machine-learning-driven cyberattacks at more than 28 million in 2025, and public reports say 35% of botnet operations used ML to evade detection, even if those same reports haven't yet shown HalluSquatting by itself producing massive botnets. The takeaway from Palo Alto Networks' Unit 42 is straightforward: verify generated domains, packages, remediation steps, and any link that merely looks convincing.
Share
Copy Link
Researchers have uncovered HalluSquatting, a new AI security threat that exploits how Large Language Models hallucinate fake domains and package names. Hackers register these AI-generated identifiers to deploy malware at scale. Palo Alto Networks' Unit 42 discovered over 13,000 malicious URLs and 250,000 unregistered domains that could be weaponized, affecting popular AI coding assistants including GitHub Copilot, Cursor, and Gemini CLI.
A novel AI security threat called HalluSquatting is enabling attackers to assemble massive botnets and launch large-scale attacks by exploiting a fundamental flaw in how Large Language Models operate
1
. The attack method leverages the inherent tendency of LLMs to hallucinate resource identifiers—inventing plausible-sounding domains, repository names, and package locations that don't actually exist. By predicting and registering these hallucinated resource identifiers before legitimate users encounter them, hackers can distribute malware to AI coding assistants at an unprecedented scale1
.
Source: Ars Technica
Researchers analyzing this AI-driven security threat found that nine popular AI tools are vulnerable, including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw
1
. These assistants routinely pull code and resources from repositories during normal operations, making them prime targets. The attack represents a shift from traditional "push-based" prompt injections that require targeting individual victims to a scalable "pull-based" approach where the malicious payload waits to be discovered.Palo Alto Networks' Unit 42 research team conducted extensive analysis that reveals the massive scope of this vulnerability
2
. Examining 2.1 million URLs generated by two large language models across 913 global brands, Unit 42 identified more than 13,000 confirmed malicious URLs already registered by attackers2
. Even more concerning, researchers discovered approximately 250,000 hallucinated domains that remain unregistered—each representing a potential entry point for phishing, credential theft, malware delivery, or supply-chain attacks2
.The research demonstrates that different models frequently hallucinate identical names, amplifying the threat. A single malicious registration can intercept traffic from multiple developer tools and customer-facing chatbots simultaneously
2
. In one documented case, a coding assistant actively helped assemble a phishing kit on a predicted phantom domain, illustrating how AI systems can unknowingly become accomplices in their own compromise.The attack builds on the concept of typosquatting, which first gained widespread attention in 2016 when booby-trapped packages uploaded to PyPI, RubyGems, and NPM repositories executed more than 45,000 times across 17,000 domains
1
. HalluSquatting takes this further by exploiting LLMs' inability to accurately identify resource locations. When developers instruct coding agents to clone popular repositories, the LLM hallucinates the correct location up to 85 percent of the time, and when cloning trending "skills"—specialized capabilities for agents—hallucinations can occur 100 percent of the time1
.By embedding instructions to install reverse shells in registered malicious resources, attackers can effectively "infect" independent agentic applications at scale
1
. This scalable property enables compromising large numbers of users with minimal effort by targeting popular resources. The ability to take control of distributed devices opens possibilities for objectives not previously achievable with prompt injections, including large ransomware campaigns, botnets for DDoS attacks, and cryptocurrency mining operations1
.Related Stories
Public forecasts project machine-learning-driven cyberattacks will exceed 28 million in 2025, with reports indicating 35 percent of botnet operations already use ML to evade detection
2
. While HalluSquatting hasn't yet produced massive botnets by itself, the foundational vulnerability creates significant risk for organizations relying on AI coding assistants. The flaw stems from training biases and misinterpretations within the current context—an inherent limitation that can't be easily patched1
.With no way to enforce boundaries between trusted and untrusted sources, AI engine developers must erect elaborate guardrails designed to mitigate damage rather than solve the root cause
1
. Unit 42's guidance emphasizes the need for AI-generated content verification: verify generated domains, packages, remediation steps, and any link before trusting it2
. Organizations should watch for automated workflows that trust AI-generated links without validation and implement manual verification steps for critical resources. As AI assistants become embedded in development pipelines, the potential for supply-chain attacks grows, making this an issue that demands immediate attention from security teams and developers alike.🟡.*Summarized by
Navi
13 Apr 2025•Technology

24 Apr 2025•Technology

22 Oct 2025•Technology

1
Policy and Regulation

2
Policy and Regulation

3
Policy and Regulation
