What Is HalluSquatting? How AI Agents Can Retrieve Malicious Resources
A newly documented attack technique exploits the tendency of agentic AI tools to hallucinate resource identifiers. Attackers pre-register those names as repositories, skills, or packages, then use the retrieved resource to host adversarial prompts or code.
1. Definition
HalluSquatting (portmanteau of hallucination + squatting) is an AI-agent attack technique in which an adversary registers a resource identifier that an LLM application is likely to hallucinate. When an agent retrieves that repository, skill, package, or similar resource, attacker-controlled content can poison the agent's context and steer tool use or code execution.
The attack was systematically documented in a 2026 research paper by scientists from Tel Aviv University, the Technion - Israel Institute of Technology, and Intuit. The arXiv record was submitted on July 8, 2026.
HalluSquatting turns predictable hallucinations of resource identifiers into a way to pull adversarial prompts or code into agentic AI applications.- Summary of the published research
2. How the Attack Works
The attack exploits two properties of large language models used in agentic tools:
- Hallucination - LLMs sometimes generate confident, plausible-sounding resource identifiers, such as repository names, skill names, package names, GitHub usernames, or paths that do not actually exist.
- Agentic retrieval and execution - Modern AI agents can fetch external resources and run tools or shell commands, including
git clone, skill installation,npm install, orpip install.
Step-by-step attack flow
What makes HalluSquatting particularly dangerous is that the attacker may not need a direct channel to the victim. The user is not sent a phishing email or calendar invite; the agent can pull the attacker-controlled resource from the Internet during a normal task.
3. HalluSquatting vs. Typosquatting
HalluSquatting is related to classic typosquatting. Both exploit the ability to register confusing names, but the source of the bad name differs:
| Attribute | Typosquatting | HalluSquatting |
|---|---|---|
| Origin of bad name | Human typo / fast typing | AI model hallucination |
| Attacker effort | Register near-typos of popular names | Probe AI tools to find consistent hallucinated resources |
| Victim awareness | Possible with careful review | Low - the agent produced or retrieved the name |
| Scalability | Limited by popular names | Scales with AI adoption and popular resources |
| Defense | Spell-check, lock files | Verify AI-suggested resources against official sources |
| Detection | Diff package name vs. known packages | Requires hallucination-aware and retrieval-aware tooling |
4. Affected AI Tools
The public research page lists AI coding assistants, CLIs, and assistant applications that exhibited practical exposure under the tested conditions:
Cursor
TestedAI-first code editor with agentic workflows and integrated terminal capabilities.
Windsurf / Cline
TestedAgentic coding tools that can plan development tasks and interact with local project resources.
GitHub Copilot
TestedMicrosoft/GitHub's AI coding assistant, evaluated in the research as part of the affected tool class.
Gemini CLI
TestedGoogle's command-line AI agent, a representative CLI with tool and shell execution paths.
OpenClaw / ZeroClaw / NanoClaw
TestedAssistant applications listed by the researchers among the production LLM applications tested.
Any AI agent capable of retrieving external resources and invoking tools is potentially exposed. That includes tools that can run git clone, install skills, install packages, or execute scripts after reading untrusted content.
5. Real-World Risk
Why hallucinations happen consistently
LLMs learn from code and documentation patterns on the Internet. During generation, the model may interpolate plausible but nonexistent identifiers. The 2026 paper reports that hallucinated resource generation can be predictable and transferable across foundation models and application layers, giving attackers a reliable target.
Payload potential
A malicious or poisoned resource can carry adversarial prompts or install-time code. Packages on npm or PyPI may also run code during installation via postinstall scripts (npm) or legacy setup.py paths (Python). This can give attackers the ability to:
- Exfiltrate environment variables, API keys, and SSH keys
- Establish persistence through malware or a bot process
- Deploy ransomware or cryptominers
- Pivot to CI/CD secrets if run inside a pipeline
Agentic amplification
The risk increases when AI agents operate autonomously. In agentic pipelines, there may be no human review step between the AI's resource choice and tool invocation. The paper frames this as a route to scalable, untargeted promptware attacks and potential botnet delivery.
6. How to Prevent HalluSquatting
For individual developers
For teams and organizations
Quick security checklist
- ✓Verify every AI-suggested repository, package, and skill against an official source
- ✓Confirm the publisher or maintainer is trustworthy and has a real history
- ✓Check publish dates and recent ownership changes
- ✓Use npm install --ignore-scripts for unfamiliar packages
- ✓Review install scripts, skill manifests, and repository instructions before running
- ✓Run installs and clones in an isolated environment when in doubt
- ✓Enable private registry allowlisting for teams
- ✓Keep AI agent permissions scoped; require approval for external retrieval and shell execution
7. Frequently Asked Questions
Is HalluSquatting the same as prompt injection?▾
Has HalluSquatting been exploited in the wild?▾
Does disabling AI agent auto-run fix the problem?▾
Are language models being patched to fix this?▾
Which registries or marketplaces are at risk?▾
How is HalluSquatting different from dependency confusion attacks?▾
Further Reading
- arXivBeware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquattingOriginal paper by researchers from Tel Aviv University, Technion, and Intuit.
- Research siteAgentic Botnets project pageResearch summary, affected tool categories, attack steps, FAQ, and ethical disclosure notes.
- Ars TechnicaHackers can use 9 of the most popular AI tools to assemble massive botnetsNews coverage of the HalluSquatting research and its implications for agentic AI tools.
- The Hacker NewsNew HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet MalwareSecurity-focused analysis of the attack surface and affected tools.
- SecurityWeek'HalluSquatting' Turns AI Hallucinations Into Botnet Delivery MechanismEnterprise security implications and mitigation guidance.
Stay ahead of AI security threats
HalluSquatting is an early documented example of a broader class of AI-agent promptware and retrieval attacks. As AI tools gain more autonomy, verify external resources, scope agent permissions, and enable package provenance checks in your development workflow.
Use the content accuracy review skill