# AI Tools Vulnerable to HalluSquatting: Massive Botnet Risk

> Security flaw in popular AI coding assistants enables attackers to create large-scale botnets for DDoS attacks.
> By Dave · 2026-07-17
> Source: https://otf-kit.dev/blog/ai-tools-botnets-risk

## The hallucination that becomes a supply chain

The newest generation of AI coding agents — Cursor, GitHub Copilot, Gemini CLI, Windsurf, and others — clone a repo, install a dependency, or wire up an API in response to a one-line prompt. It's a real productivity enable, and it's why so many teams have rebuilt their daily loop around these tools. A paper from Tel Aviv University and partner institutions surfaced a category of attack that lives in the gap between "the model wanted to help" and "the resource it reached for actually existed." They named it **HalluSquatting** ([source](https://rocketnews.com/2026/07/hackers-can-use-9-of-the-most-popular-ai-tools-to-assemble-massive-botnets/)), and every coding agent that auto-retrieves code is in scope.

The interesting part isn't that the attack exists — supply-chain attacks are old. The interesting part is that the attacker doesn't need to compromise a legitimate repo, doesn't need to phish a developer, and doesn't need to touch the model weights. They register the names LLMs *hallucinate*, then wait. It's typosquatting weaponised for the agent era, and the numbers researchers measured are stark.

## What HalluSquatting actually is

HalluSquatting is a supply-chain attack that exploits the fact that LLMs confidently invent resource locations. When you ask Cursor to "install the analytics SDK," it frequently outputs a package name or a Git URL that does not exist. When that happens, the assistant has no fallback path — it just resolves to whatever was returned.

A typosquatter registers the missing name, hosts a malicious payload there, and waits. When a coding agent next retrieves that resource, the embedded `README.md` becomes the instruction set, the install script becomes the delivery vehicle, and the developer never sees a prompt that says "this could be hostile."

It's different from prompt injection in two ways that matter:

1. **No user engagement required.** Prompt injection needs a user to load attacker-controlled content. HalluSquatting rides on legitimate-looking agent behaviour that the user actually wanted.
2. **Asymmetric cost.** The attacker registers a few dozen names. The model does the distribution.

## The numbers behind the hallucination

The research team tested six major LLMs and found predictable, consistent hallucination patterns when the model was asked to resolve identifiers:

| Class of resource | Misidentification rate |
| --- | --- |
| Popular repositories | up to **85%** |
| Trending resources not in training data | **100%** |
| Older (pre-2019) repositories | **<1%** misidentification |
| 2025 repositories | **92.4%** error rate |



![accuracy collapsing as repo novelty rises — older repos resolve almost perfectly, brand-ne](https://cdn.otf-kit.dev/blog/ai-tools-botnets-risk/inline-1.png)



The older the corpus, the better the model performs. The fresher the name, the worse — and that's exactly the surface attackers want. New packages ship daily. The model has no clean way to verify them. The hallucination gets pasted into a `git clone`.

## The attack chain in five steps



![developer asks agent to install a package → agent hallucinates the repo URL → attacker reg](https://cdn.otf-kit.dev/blog/ai-tools-botnets-risk/inline-2.png)



1. Researcher (or attacker) prompts a few popular LLMs across a curated set of common tasks: "set up the Stripe webhook helper," "clone the rate-limiter demo," "install the OpenTelemetry exporter."
2. The model produces identifiers. Some exist. Many don't.
3. The attacker collects every name that doesn't resolve and registers it across GitHub, npm, and PyPI.
4. The next time a real developer runs the same prompt through Cursor, Copilot, Gemini CLI, or Windsurf, the agent retrieves the squat.
5. The malicious README or `install.sh` runs the agent's own code-execution path — typically a reverse shell — and the developer machine is now part of a botnet.

Once one machine is owned, lateral movement into the org starts from a position of trust. Aggregate enough of them and you have a DDoS-for-hire fleet, a cryptomining pool, or a ransomware staging ground. None of that is novel to botnets. What's novel is the recruitment mechanism — the developer never sees a command they didn't write, and the agent never sees a URL it didn't invent.

## Nine tools, one pattern

The nine affected coding tools share a property, not a codebase: they all auto-resolve and auto-execute code on the developer's behalf. The named set includes **Cursor**, **GitHub Copilot**, **Gemini CLI**, and **Windsurf**, plus five more — and the bigger the user base, the bigger the botnet an attacker can assemble in a quiet week.

Tool popularity is the multiplier. The same hallucination that hits one developer once a month can hit a million developers once a month, just by being the default suggestion the editor returns. This is the supply-chain asymmetry that traditional vulnerabilities don't have.

## How to defend, concretely

The defense isn't "stop using AI coding tools." The defense is "make the hallucination hurt the attacker instead of you." Here's what ships today:

```bash
# 1. Pin the agent to a known-good set of registries
export AGENT_REGISTRY_ALLOWLIST="github.com/your-org,npmjs.com/@your-scope"
export AGENT_REGISTRY_DENYLIST_TTL=3600   # re-check fresh names every hour

# 2. Require signed installs for any package fetched by an agent
npm config set signature-warnings true
npm config set sign-git-commit true

# 3. MFA on every registry publish account, especially internal ones
gh auth login --web
gh auth setup-git
```

For the team:

- **Verify before the agent clones.** A 10-second `curl -I` on a name the agent invented kills most of this attack. Make it a pre-tool hook, not a habit you remember.
- **Scope the agent's network reach.** A coding agent running in a container with no egress to arbitrary GitHub orgs can't fetch a squat, even when it hallucinates one.
- **Treat fresh names as untrusted.** Pre-2019 repositories misresolve less than 1% of the time; 2025 repositories misresolve 92.4% of the time. The asymmetry is the attack surface — flag anything younger than 90 days.
- **Log every agent-initiated fetch.** You want a SIEM event the first time an AI assistant pulls a package you didn't explicitly request.
- **Patch aggressively.** Tool vendors are likely to ship allowlists, signature checks, and registry verification in response to this research. Update the day they ship.

None of these are exotic. They're the same hygiene the supply-chain community has been asking for since the 2016 typosquatting wave. The difference is that now the developer is no longer the one running `npm install` — the agent is.

## The durable layer underneath the tool churn

Here's what doesn't change when the model does: the registry of package names that are actually yours, the allowlist of repos your team owns, the signed install path your CI enforces, and the developer policy that says *no fresh names without review.* Build those once, and every AI coding tool you adopt — today's or next year's — inherits a defense that doesn't have to be re-derived per model release.

The interesting defensive move is to stop letting your agent reach for arbitrary public packages at all. A starter kit where the same component ships identically from one canonical source — web, iOS, Android, one API everywhere — gives your assistant something to fetch that *wasn't* hallucinated. The hallucination can't land if the model always reaches for the same trusted surface first.

This is the part that doesn't hallucinate. It's also the part that doesn't ship itself. The agent can fetch a malicious package faster than you can read its README, so the only defensible posture is one where the agent can't reach the malicious package in the first place.

## What this gets us

HalluSquatting is a real vulnerability, but it's also a real-world stress test of the agent-everything story. The research is a gift — a known pattern with measured numbers, surfaced by the security community before the botnets are assembled. Treat it like a fire drill. Drill it. Ship the allowlists. Tighten the registry scopes. Then keep moving fast on the parts of your stack where AI agents genuinely outperform.

The agent that clones the wrong repo on Tuesday is the same one that ships your Friday release on time. Both of those are true. Design for the first one and you keep using the second one.