Cyber Security

New HalluSquatting Attack Can Trick AI Coding Assistants into Installing Botnet Malware

AI coding assistants have a habit of getting things done. Ask someone to download a popular tool, and sometimes it will return a meaningful name for a missing project.

A new study, its authors say HalluSquattingturns that practice into an attack: find fake names that the AI ​​reliably generates, register first, and then wait for the assistant to download your trap on behalf of the user.

Anyone whose AI assistant can download an external device and execute commands with little human review is exposed. In testing, that method led the assistant to use the code provided by the attacker on the machine.

Repeat with a popular enough resource, and a single planted name can reach many machines, which is why researchers have included it as a method of bundling a botnet.

How does this work

Attacks include two AI quirks. The first is a to see with the eyes of the flesh: an AI that creates something and presents it as real. The second is a injection immediately: a bomb command that hacks the AI, to follow the attacker instead of the user.

Here, the injection is an indirect type, riding on the content the assistant fetches rather than anything the user chooses.

  1. Choose a target. An attacker finds a repository or plugin that is trending, so many people ask their AI to download it. The trends are important, because the brand new resource is not in the AI ​​training data, which is where the model starts making predictions about words.
  2. Read the error. The attacker asks the AI ​​to download that resource repeatedly and record the fake name it uses multiple times.
  3. Find the wrong word. An attacker registers that name on GitHub or a plugin store and hides conflicting commands within it.
  4. wait A real user asks his assistant to grab a popular resource. The assistant creates the same fake name and pulls the attacker’s version instead. Its hidden instructions boil down to what the assistant thinks it was told to do, and the hijacked assistant uses its control device to do it.

A trap is not a stand-alone code. It works because these assistants keep a terminal within their built-in tools, so if the planted instructions take over, “install the bot” is just something the assistant can do.

What makes it useful is that fake names are not just mistakes. In the study of researchers, the error was constant: in different sentences and in all models from different companies, the assistant reached the same incorrect word in up to 85% of the database requests and 100% of the input skills. Those are the highest rates the authors report; the paper holds the complete distinction.

They ran it against tools including Cursor, Windsurf, GitHub Copilot, Cline, Google’s Gemini CLI, and the OpenClaw family of helpers, each of which executed the attacker’s code. The downloaded tests were harmless proxies, not actual malware; the living can take the same approach.

The research comes from Aya Spira and colleagues in the group of Ben Nassi at Tel Aviv University, and Stav Cohen at the Technion and Ron Bitton at Intuit. Nassi’s team has done this before, creating a self-propagating AI email worm and a calendar invite that hijacked Google’s Gemini.

The team says it notified affected vendors, model makers, and market operators before going public, and took the necessary steps to replicate the attack.

Why is it a new type of botnet

Traditional boats take construction work. They rely on weak passwords, or malware that causes machine-to-machine worms, and often target one type of device, the way Mirai targets cameras and routers.

This does not require that. There are no passwords, no worming, and because the payload comes as AI-read text instead of network exploits, it’s not the kind of thing a firewall sees. The machines that live on it can use any operating system, not the same ship.

AI is the delivery van here, not the commodity. The planted commands are tricked into installing a generic bot, and once that bot is running, the machine belongs to the botnet like any other. What’s new is the combination that gets it there: a name that AI predicts, a marketplace where anyone can register that name, and an agent with permission to download and operate.

The pieces are not new, even if the combination is something. Attackers first learned to register fake software package names created by AI, a tactic called “slopsquatting.”

In January 2026, Charlie Eriksen of Aikido Security found one npm package made, react-codeshift, that the instructions written by AI had already spread to 237 code projects, agents are still trying to install it every day; he registered himself before any attacker did, so it was harmless.

The concept then moved from packets to web addresses. Palo Alto Networks’ Unit 42 recently described “phantom squatting,” about 250,000 domains associated with ideas that sit unregistered and free for the taking (THN write-up is here ).

HalluSquatting is an all-access version of the download agent hacking code. And markets aimed at checking malicious uploads are not far behind: in June, Trail of Bits slipped malicious “skills” past several store scanners in less than an hour.

What to do

It all boils down to one condition: an agent that downloads an external resource and runs it without anyone inspecting it. Turn that off, and the attack stops. The most effective fix is ​​also very simple: do a search for the assistant before it downloads.

Real-time observation grounds the agent in what actually exists and cuts through the guesswork. That’s the job of the people who build these tools, who can also train the programmer (the part that applies the steps) to look for the resource first and treat words like clone, install, and download as flags.

Users and security teams have real-time levers. By default, these agents prompt before executing a command. Exposing the default modes (Code Claude’s permissions flag, Gemini CLI’s yolo mode) turns that off, so the first rule is not to let an agent run unattended on anything it’s tracked.

Some tools now add a layer of security that checks what the agent reads or is about to do before it runs, such as Claude Code’s auto mode and Conseca’s Gemini CLI checks, but that reduces the risk rather than eliminating it. There is no single switch that turns this off, so also ensure that the repository or package name resolves to the actual, expected source before the agent pulls it, and treat any name the AI ​​gives as a guess, not the truth.

Platforms have their own lever. They could stop allowing people to reuse known repository names under new accounts, and pre-register fake names that AISs might name (the same defenses already in place against typosquatting), so that those names point back to the real project.

The researchers call their results low-responsibility: “Attacks always get better; they don’t get worse.” There is not a single CVE that can be patched here. They’re not reporting it as a single product bug but as a weakness in the way AI agents trust words they’ve never been given.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button