'HalluSquatting' Turns AI Hallucinations Into Botnet Delivery Mechanism
What happened
Researchers published details on July 10, 2026 of 'HalluSquatting', which exploits LLMs' tendency to hallucinate non-existent package names. Attackers pre-register these fake names and embed malicious code — when an AI assistant recommends installation, the malware installs automatically.
Context and impact
AI coding assistants (Cursor, GitHub Copilot, Gemini CLI, Cline) can become malware delivery vehicles without traditional phishing. The technique bypasses firewalls and antivirus tools since the attack arrives through a trusted AI channel. Agentic botnets can spread via prompt injection.
Details
- Hallucination rates: up to 85% for repo-cloning prompts; up to 100% for skill installations
- Affected tools: Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, OpenClaw
- Mechanism: name squatting → prompt injection → autonomous spread
- Defense: allowlist of approved packages, manual verification before any installation
Open original source
SecurityWeek