Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware

The Hacker News by The Hacker News
July 8, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


AI coding assistants have a habit of making things up. Ask one to fetch a popular tool, and it will sometimes hand back a real-sounding name for a project that does not exist.

New research, which its authors call HalluSquatting, turns that habit into an attack: work out the fake names an AI reliably invents, register them first, and wait for the assistant to fetch your trap on a user’s behalf.

Anyone whose AI assistant can fetch an outside resource and then run commands with little human review is exposed. In tests, that path led the assistant to run attacker-supplied code on the machine.

Repeat it with a popular enough resource, and one planted name can reach many machines, which is why the researchers frame it as a way to assemble a botnet.

How it works

The attack chains two AI quirks. The first is a hallucination: an AI making something up and presenting it as real. The second is a prompt injection: a booby-trapped instruction that hijacks the AI, so it follows an attacker instead of the user.

Here, the injection is the indirect kind, riding in on content the assistant fetches rather than anything the user types.

  1. Pick a target. The attacker finds a repository or plugin that is trending, so lots of people are asking their AI to fetch it. Trending matters, because a brand-new resource is not in the AI’s training data, which is exactly when the model starts guessing at names.
  2. Learn the mistake. The attacker asks an AI to fetch that resource over and over and records the fake name it invents most often.
  3. Claim the fake name. The attacker registers that name on GitHub or a plugin store and hides adversarial instructions inside it.
  4. Wait. A real user asks their assistant to grab the popular resource. The assistant invents the same fake name and pulls in the attacker’s version instead. Its hidden instructions fold into what the assistant thinks it was told to do, and the hijacked assistant uses its own command-running tool to carry them out.

The trap is not code that runs by itself. It works because these assistants keep a terminal among their built-in tools, so once the planted instructions take over, “install a bot” is simply something the assistant can do.

What makes it practical is that the fake names are not random. In the researchers’ experiments, the mistake was consistent: across different phrasings and across models from different companies, the assistant reached for the same wrong name in up to 85% of repository requests and 100% of skill installs. Those are the peak rates the authors report; the paper carries the full breakdown.

They ran it against tools including Cursor, Windsurf, GitHub Copilot, Cline, Google’s Gemini CLI, and the OpenClaw family of assistants, getting each to run attacker code. The test payloads were harmless placeholders, not real malware; a live one would take the same path.

The research comes from Aya Spira and colleagues in Ben Nassi’s group at Tel Aviv University, with Stav Cohen at Technion and Ron Bitton at Intuit. Nassi’s group has done this before, building a self-spreading AI email worm and a calendar invite that hijacked Google’s Gemini.

The team says it told the affected vendors, model makers, and marketplace operators before going public, and held back the exact steps needed to copy the attack.

Why is it a new kind of botnet

Traditional botnets take work to build. They lean on weak passwords, or malware that worms from machine to machine, and they usually herd one kind of device, the way Mirai herded cameras and routers.

This needs none of that. No passwords, no worming, and because the payload arrives as text the AI reads rather than a network exploit, it is not the kind of thing a firewall is watching for. The machines it lands on can run any operating system, not one uniform fleet.

The AI is the delivery van here, not the cargo. The planted instructions trick it into installing an ordinary bot, and once that bot is running, the machine belongs to a botnet like any other. What is new is the combination that gets it there: a name an AI predictably invents, a marketplace where anyone can register that name, and an agent with permission to fetch and run.

The pieces are not new, even if the combination is. Attackers first learned to register fake software package names that AIs invent, a trick called “slopsquatting.”

In January 2026, Aikido Security’s Charlie Eriksen found one such made-up npm package, react-codeshift, that AI-written instructions had already spread to 237 code projects, with agents still trying to install it daily; he registered it himself before any attacker could, so it caused no harm.

The idea then jumped from packages to web addresses. Palo Alto Networks’ Unit 42 recently described “phantom squatting,” roughly 250,000 hallucinated domains sitting unregistered and free for the taking (THN’s write-up is here).

HalluSquatting is the version that reaches all the way to running code by hijacking the agent doing the fetching. And the marketplaces meant to screen bad uploads are not much of a backstop: in June, Trail of Bits slipped malicious “skills” past several store scanners in under an hour.

What to do

It all turns on one condition: an agent that fetches an outside resource and runs it with no one checking. Close that, and the attack stops. The most effective fix is also the simplest: make the assistant search before it fetches.

A real lookup grounds the agent in what actually exists and sharply cuts the guessing. That is a job for the people building these tools, who can also train the planner (the part that maps a request to steps) to look a resource up first and to treat words like clone, install, and fetch as flags.

Users and security teams have nearer-term levers. By default, these agents ask before running a command. The exposure is the auto-run modes (Claude Code’s skip-permissions flag, Gemini CLI’s yolo mode) that switch that off, so the first rule is not to let an agent run unattended on anything it fetched.

Some tools now add a safety layer that inspects what the agent reads or is about to do before it acts, like Claude Code’s auto mode and Gemini CLI’s Conseca check, but that lowers the risk rather than removing it. No single switch closes this, so also verify that a repository or package name resolves to the real, expected source before an agent pulls it in, and treat any name an AI hands you as a guess, not a fact.

Platforms have their own lever. They can stop letting people reuse well-known repository names under new accounts, and pre-register the fake names AIs are likely to invent (the same defense already used against typosquatting), so those names point back to the real project.

The researchers call their results a lower bound: “Attacks always get better; they never get worse.” There is no single CVE to patch here. They frame it not as one product’s bug but as a weakness in how AI agents trust names they were never actually given.



Source link

The Hacker News

The Hacker News

Next Post
Expert Energy Broker Sandy Carpenter of Cleveland Explains How to Switch Energy Providers for HelloNation

Expert Energy Broker Sandy Carpenter of Cleveland Explains How to Switch Energy Providers for HelloNation

Recommended.

AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE

AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE

March 17, 2026
MiniTool Unveils Video Converter 4.5 with Intelligent Subtitle Feature

MiniTool Unveils Video Converter 4.5 with Intelligent Subtitle Feature

October 1, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio