New Attack Vector - July 2026

What Is HalluSquatting? How AI Agents Can Retrieve Malicious Resources

A newly documented attack technique exploits the tendency of agentic AI tools to hallucinate resource identifiers. Attackers pre-register those names as repositories, skills, or packages, then use the retrieved resource to host adversarial prompts or code.

Researchers
Tel Aviv University, Technion, Intuit
Tools tested
Cursor, Windsurf, Copilot, Cline, Gemini CLI
Attack type
Promptware / AI hallucination
Paper submitted
July 8, 2026

1. Definition

HalluSquatting (portmanteau of hallucination + squatting) is an AI-agent attack technique in which an adversary registers a resource identifier that an LLM application is likely to hallucinate. When an agent retrieves that repository, skill, package, or similar resource, attacker-controlled content can poison the agent's context and steer tool use or code execution.

The attack was systematically documented in a 2026 research paper by scientists from Tel Aviv University, the Technion - Israel Institute of Technology, and Intuit. The arXiv record was submitted on July 8, 2026.

HalluSquatting turns predictable hallucinations of resource identifiers into a way to pull adversarial prompts or code into agentic AI applications.- Summary of the published research

2. How the Attack Works

The attack exploits two properties of large language models used in agentic tools:

  1. Hallucination - LLMs sometimes generate confident, plausible-sounding resource identifiers, such as repository names, skill names, package names, GitHub usernames, or paths that do not actually exist.
  2. Agentic retrieval and execution - Modern AI agents can fetch external resources and run tools or shell commands, including git clone, skill installation, npm install, or pip install.

Step-by-step attack flow

1
Discovery
Attackers prompt AI tools repeatedly to find resource identifiers they hallucinate consistently.
2
Registration
The attacker registers the hallucinated identifier as a repository, skill, package, or other retrievable resource.
3
Adversarial content
The registered resource hosts adversarial prompts, scripts, install hooks, or code that can influence the agent after retrieval.
4
Victim triggers
A user asks an AI assistant to clone, install, or fetch a resource. The assistant references the hallucinated name, which is now attacker-controlled.
5
Execution
The agent retrieves the resource, ingests its content, and may invoke tools or execute code under the local user's privileges.

What makes HalluSquatting particularly dangerous is that the attacker may not need a direct channel to the victim. The user is not sent a phishing email or calendar invite; the agent can pull the attacker-controlled resource from the Internet during a normal task.

3. HalluSquatting vs. Typosquatting

HalluSquatting is related to classic typosquatting. Both exploit the ability to register confusing names, but the source of the bad name differs:

AttributeTyposquattingHalluSquatting
Origin of bad nameHuman typo / fast typingAI model hallucination
Attacker effortRegister near-typos of popular namesProbe AI tools to find consistent hallucinated resources
Victim awarenessPossible with careful reviewLow - the agent produced or retrieved the name
ScalabilityLimited by popular namesScales with AI adoption and popular resources
DefenseSpell-check, lock filesVerify AI-suggested resources against official sources
DetectionDiff package name vs. known packagesRequires hallucination-aware and retrieval-aware tooling

4. Affected AI Tools

The public research page lists AI coding assistants, CLIs, and assistant applications that exhibited practical exposure under the tested conditions:

Cursor

Tested

AI-first code editor with agentic workflows and integrated terminal capabilities.

Windsurf / Cline

Tested

Agentic coding tools that can plan development tasks and interact with local project resources.

GitHub Copilot

Tested

Microsoft/GitHub's AI coding assistant, evaluated in the research as part of the affected tool class.

Gemini CLI

Tested

Google's command-line AI agent, a representative CLI with tool and shell execution paths.

OpenClaw / ZeroClaw / NanoClaw

Tested

Assistant applications listed by the researchers among the production LLM applications tested.

Any AI agent capable of retrieving external resources and invoking tools is potentially exposed. That includes tools that can run git clone, install skills, install packages, or execute scripts after reading untrusted content.

5. Real-World Risk

Why hallucinations happen consistently

LLMs learn from code and documentation patterns on the Internet. During generation, the model may interpolate plausible but nonexistent identifiers. The 2026 paper reports that hallucinated resource generation can be predictable and transferable across foundation models and application layers, giving attackers a reliable target.

Payload potential

A malicious or poisoned resource can carry adversarial prompts or install-time code. Packages on npm or PyPI may also run code during installation via postinstall scripts (npm) or legacy setup.py paths (Python). This can give attackers the ability to:

  • Exfiltrate environment variables, API keys, and SSH keys
  • Establish persistence through malware or a bot process
  • Deploy ransomware or cryptominers
  • Pivot to CI/CD secrets if run inside a pipeline

Agentic amplification

The risk increases when AI agents operate autonomously. In agentic pipelines, there may be no human review step between the AI's resource choice and tool invocation. The paper frames this as a route to scalable, untargeted promptware attacks and potential botnet delivery.

6. How to Prevent HalluSquatting

For individual developers

Always verify AI-suggested resources
Before running an install, clone, or skill command suggested by an AI, confirm the resource on the official registry, marketplace, or upstream project page.
Use lock files and version pinning
Commit package-lock.json, yarn.lock, or requirements.txt. Review dependency changes carefully in PRs.
Review AI commands before execution
Configure AI coding tools to require explicit approval before running shell commands or fetching new resources.
Inspect before running
Use npm install --ignore-scripts for unfamiliar packages and review install scripts, skill manifests, and repository instructions before trusting them.

For teams and organizations

Private registry with allowlisting
Route installs through an approved registry or artifact proxy. Only allow explicitly approved packages and skills.
AI permission policies
Require human-in-the-loop approval for package installation, skill installation, cloning unknown repositories, and shell execution.
Dependency and resource scanning
Run dependency scanning and provenance checks in CI to catch unknown or suspicious resources before they enter production.
Developer training
Train developers to treat AI-suggested names as untrusted until independently verified.

Quick security checklist

  • Verify every AI-suggested repository, package, and skill against an official source
  • Confirm the publisher or maintainer is trustworthy and has a real history
  • Check publish dates and recent ownership changes
  • Use npm install --ignore-scripts for unfamiliar packages
  • Review install scripts, skill manifests, and repository instructions before running
  • Run installs and clones in an isolated environment when in doubt
  • Enable private registry allowlisting for teams
  • Keep AI agent permissions scoped; require approval for external retrieval and shell execution

7. Frequently Asked Questions

Is HalluSquatting the same as prompt injection?
No. Prompt injection is a broader technique for inserting malicious instructions into an AI system's input or context. HalluSquatting is a way to make an agent pull attacker-controlled resources that can then carry adversarial prompts or code.
Has HalluSquatting been exploited in the wild?
The researchers documented the attack in a controlled research setting and responsibly disclosed findings before publication. As of July 2026, public reporting described the risk and demonstrations, but did not attribute a confirmed real-world campaign.
Does disabling AI agent auto-run fix the problem?
It significantly reduces risk. If an AI agent cannot autonomously retrieve resources or run shell commands, the attack requires more human action and becomes easier to catch.
Are language models being patched to fix this?
Hallucination reduction and safer agent permissions are active areas of work. Because hallucinations cannot be fully eliminated from current LLMs, defensive practices such as source verification, allowlisting, and human approval remain essential.
Which registries or marketplaces are at risk?
Any ecosystem where attackers can register names or publish retrievable resources is relevant: public GitHub repositories, skill marketplaces, npm, PyPI, RubyGems, crates.io, and similar registries. Private, allowlisted registries reduce this exposure.
How is HalluSquatting different from dependency confusion attacks?
Dependency confusion involves publishing a public package with the same name as a private internal dependency. HalluSquatting does not require a prior private package; it targets names that AI systems hallucinate.

Further Reading

Stay ahead of AI security threats

HalluSquatting is an early documented example of a broader class of AI-agent promptware and retrieval attacks. As AI tools gain more autonomy, verify external resources, scope agent permissions, and enable package provenance checks in your development workflow.

Use the content accuracy review skill