Skip to content
OTFotf
All posts

AI Tool Vulnerability Exposes Risk of Massive Botnet Creation

D
DaveAuthor
6 min read
AI Tool Vulnerability Exposes Risk of Massive Botnet Creation

HalluSquatting is the kind of paper that reframes a "known quirk." Researchers including a team at Tel Aviv University ran the cleanest version of the experiment yet: pick an AI coding tool, ask it to clone or install a specific resource, and watch which URL it resolves. The result is damning. Nine widely-used tools — Cursor, GitHub Copilot, Gemini CLI, Windsurf, and five others — pick the wrong repository up to 85% of the time when cloning popular code, and 100% of the time for trending resources that weren't in their training data. The misidentification rate is 92.4% for 2025-vintage repositories and below 1% for pre-2019 ones. All six major LLMs the team tested share the same blind spot. (Research summary in RocketNews)

This isn't a UX bug. It's an attack surface, and it's already being scoped for botnets.

The hallucination that isn't a glitch

LLMs don't resolve package names the way a package manager does. They generate them, one token at a time, from the same machinery that writes a paragraph. When you tell a coding agent to "clone the repo for X" and X isn't a known entity, the model invents a plausible-looking identifier — one that often doesn't exist but could exist, given the surrounding code patterns. That's the hallucination.

HalluSquatting weaponizes that inventing. An attacker scrapes the most common hallucinated names, registers those names as repositories, and parks malicious code inside them. When an agent next tries to "fetch X," it lands on the attacker's repo. The malicious payload is typically a reverse shell wrapped in something that looks like a normal installer. The agents treat instructions inside cloned code the same way they'd treat a comment authored by a teammate — and execute them.

The misidentification rates sound extreme until you understand the geometry. Pre-2019 repositories — the ones whose names are overrepresented in training corpora — were correctly identified less than 1% of the time by every model tested. Newer repositories are even worse. Trending resources that surfaced after the model's training cutoff: 100% misidentification. For 2025-vintage repos: 92.4%. Name the rank, name the regime — the model is guessing.

Nine tools, one shared blind spot

The list isn't exotic. Cursor, GitHub Copilot, Gemini CLI, Windsurf — the four biggest agent-style coding tools — were all confirmed exploitable. Five more sit alongside them in the published enumeration. What they share isn't a vendor. It's a posture: each tool routinely performs network operations on behalf of the user. They clone repos, install packages, run scripts. Every one of those steps is a window in which the agent can be steered toward an attacker-controlled endpoint.

This is what differentiates HalluSquatting from earlier prompt-injection work. Those attacks targeted individual users, one conversation at a time. HalluSquatting is a supply-chain attack on the agent itself: register the name once, harvest every developer who later asks their agent for "the X repo." Scale is free.

a developer types "clone the foo-bar-codec repo" → Cursor generates the URL from its model

11 production screens. Login, database, payments — all wired.

The SaaS Dashboard Kit ships everything already connected. Nothing to set up. Live demo at saas.otf-kit.dev.

See the live demo

The shape of a botnet, by way of a language model

To picture the endgame, multiply by the install base. Cursor and Copilot run on millions of developers' machines. If even 1% of those users ever type a request that steers toward a hallucinated name, that's tens of thousands of machines infected from a single trap. The research explicitly names three monetization paths: cryptocurrency mining on infected hardware, ransomware distribution, and distributed denial-of-service. All three benefit from volume, and HalluSquatting's amplification model — one registration, many infections — is the cheap path to that volume.

The math is what makes the threat feel different. Domain typosquatting — registering lookalike names — has been a racket since at least 2016. A successful HalluSquat costs roughly the same and enables every developer whose phrasing crosses the target's name. That ratio — one registration, many infections — is the part the paper gets right.

How to use these tools safely today

The headline mitigation is unromantic: pin versions, use lockfiles, and treat every "agent run" output the way you'd treat a junior contractor's PR. Concrete moves:

# Pin a known repo by exact tag — not by a name the model invented
git clone 

# Verify the package identity before installing anything from a freshly-cloned repo
gh repo view real-org/real-repo --json name,owner,pushedAt,license
// In a Node project: forbid the model from inventing install targets.
// The package.json "overrides" block forces a real, pinned version.
{
  "dependencies": { "left-pad": "1.3.0" },
  "overrides":   { "left-pad": "1.3.0" }
}
// In any agent config (.cursorrules, .github/copilot-instructions.md,
// Gemini CLI policy): require resolved packages to exist before run.
"steps": [
  { "name": "resolve-package", "verify": "exists-on-registry" },
  { "name": "install",         "verify": "sha256-matches-lockfile" }
]

The third snippet is the durable version of the rule. Whether the agent is Cursor today, Copilot tomorrow, or something shipped under a different brand next year — the project enforces the gate, not the model.

Three rules of thumb for any team using an agent right now:

  1. Treat any repo the agent reached for but you didn't explicitly request as suspect. Inspect before running.
  2. Don't let an agent install from a name it sourced from its own output. If the model wrote the URL, you write the lockfile entry.
  3. Audit setup.sh-shaped artifacts the way you'd audit a stranger's USB stick. They are.

The convention outlives the model

This is the part of the conversation that matters beyond any single vulnerability. Every quarter a new coding agent ships with a clever new pattern. HalluSquatting won't be the last hallucination they weaponize. The defenses that age well are the ones attached to the project, not the tool.

A version-pinned dependency manifest, an explicit resource registry, a lockfile the agent must read before it installs — these artifacts describe the project's invariants. Whichever agent runs tomorrow, it reads the same invariants today. The hallucination rate of the underlying LLM is irrelevant to the lockfile. The supply-chain shape of the project — where code can come from, and where it can't — is a property of the repo, not of the model. This is the shape that cross-platform kits like otf-kit.dev ship: invariants the agent reads, conventions the agent follows, regardless of which LLM powers the loop.

The same principle applies across platforms and across tools. A web app, an iOS app, an Android app — all reading the same dependency registry and the same agent guardrails — doesn't get to disagree about what counts as a safe package. Convention beats configuration, and configuration beats whatever the agent happened to invent on the last turn.

What this enables

HalluSquatting is a reminder that agent behavior and project policy are two different things, and only one of them is durable. A team that separates the two — the model's job is to write code, the project's job is to police where that code comes from — ships faster than a team that relies on the model to police itself. The team that writes a one-page agent policy and pins every dependency ships agents that don't need to be re-trusted every time the underlying model changes.

The interesting work isn't choosing between Cursor, Copilot, Gemini CLI, and Windsurf. It's writing the rule set that any of them has to follow.

That's the piece that holds.

ai-toolssecuritybackend
OTF SaaS Dashboard Kit

Ship the product, not the setup.

  • 11 production screens — auth, billing, team, analytics, settings
  • Real database, payments, and login — all wired on day 1
  • AI configs pre-tuned so your agent extends instead of regenerates