What happens when an AI's most well-known flaw becomes its most dangerous vulnerability? HalluSquatting is the answer: a newly documented attack technique that weaponizes AI hallucination not as an accuracy problem, but as a malware delivery system. Researchers from Tel Aviv University, Technion, and Intuit have demonstrated that AI coding assistants hallucinate fake package and repository names at rates reaching 100 percent on skill installation prompts, and that attackers can pre-register those hallucinated names to deliver malware to unsuspecting developers. The attack works across every major AI coding platform, making it the first truly scalable AI supply chain vulnerability.
How HalluSquatting Works
The attack exploits a fundamental property of large language models: they hallucinate. When a developer asks an AI assistant to clone a popular repository or install a tool, the AI frequently fabricates a name that sounds plausible but does not exist. The researchers found hallucination rates of 85 percent for repository-cloning prompts and a staggering 100 percent for skill installation prompts across the models they tested. Critically, the same hallucinated names recur across different foundation models, meaning the attack is broadly transferable.
The attacker's playbook is straightforward. They monitor AI assistant outputs, identify commonly hallucinated package and repository names, then pre-register those names on platforms like npm, PyPI, and GitHub. When a developer follows the AI's suggestion and runs the installation command, they pull the attacker's malicious package instead. From there, the attacker gains code execution on the developer's machine, with the ability to deploy malware, steal credentials, install backdoors, or recruit the machine into an agentic botnet.
The attack targets the most widely used AI coding tools: Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, OpenClaw, and Claude Code. Every platform that suggests package installations or repository clones based on LLM output is vulnerable by design, because the hallucination is inherent to the model, not a bug that can be patched.
Agentic Botnets: The Next Frontier of AI-Powered Attacks
The HalluSquatting research goes beyond simple malware delivery. The team demonstrated that the technique can be used to assemble agentic botnets: networks of compromised developer machines where each infected AI agent follows attacker commands autonomously. Unlike traditional botnets that require command-and-control infrastructure, agentic botnets inherit the AI assistant's tool-use capabilities, meaning attackers can instruct compromised agents to perform complex tasks like code theft, credential harvesting, and lateral network movement without building custom malware.
The scale potential is significant. If an attacker registers five hallucinated package names and each gets installed by 1,000 developers per week across different AI platforms, that is 5,000 new infections weekly from a single registration effort. Because the hallucinated names are consistent across models, a single squatting campaign can target users of every major coding assistant simultaneously. The researchers warn this could be the most scalable AI-powered attack to date, and its novelty means most security tools are not yet equipped to detect it.
What Makes HalluSquatting Different From Traditional Supply Chain Attacks
Supply chain attacks are not new. Dependency confusion, typosquatting, and malicious packages have been documented for years. HalluSquatting is different in three critical ways. First, it exploits the AI assistant's recommendation authority: developers trust the AI when it suggests a package, so they are less likely to verify the name before installing. Second, it operates at model level rather than registry level: even if npm and PyPI deploy countermeasures, the AI will simply hallucinate different names. Third, it scales across platforms simultaneously because the hallucination pattern is a property of the underlying LLM architecture, not any single tool's implementation.
The research team tested multiple leading foundation models and found that hallucinated names cluster around the same semantic space across models. A name hallucinated by Claude Code's underlying model is highly likely to also be hallucinated by GPT-based assistants and Gemini models. This cross-model consistency transforms HalluSquatting from a single-platform nuisance into a whole-ecosystem vulnerability.
What Founders Need to Do Today
For solo founders and small teams who depend on AI coding tools for daily development, HalluSquatting is not a theoretical threat. It is a demonstrated attack technique with a published proof of concept, and the registration window for hallucinated names is already open. Every minute an attacker spends monitoring AI output and squatting names is a minute your next AI-suggested install could be compromised.
Three practical steps can reduce your exposure significantly. First, always verify AI-suggested package names against official registries before running any install command. A thirty-second check on npmjs.com or PyPI.org can prevent a compromise that takes weeks to detect. Second, use package lockfiles and integrity verification tools. Lockfiles pin exact versions and hashes, so even if an attacker registers a squatted name on the registry, your build pipeline rejects the mismatch. Third, run AI-generated installation commands in sandboxed or containerized environments whenever possible. A throwaway Docker container is cheap insurance against a supply chain compromise.
The AI industry will need to respond at multiple levels: model providers must reduce hallucination rates for package and repository references specifically, registry operators must implement proactive squatting detection for AI-hallucinated names, and security tooling vendors must add HalluSquatting detection to their alerting pipelines. But those countermeasures will take months to deploy. For now, the responsibility falls on every developer using AI coding tools to verify before they trust.



