HalluSquatting — Agentic Botnets via LLM Hallucinated Resource Names

AI relevance: LLM hallucinations create a new supply-chain attack surface — attackers register resources matching hallucinated names to achieve remote code execution against AI coding assistants at scale.

  • Researchers from Tel Aviv University, Technion, and Intuit introduced adversarial hallucination squatting — a technique that weaponizes LLMs' tendency to hallucinate resource identifiers (repository names, skill names, package names).
  • Attackers identify trending resources (popular repos, skills), compute the LLM's hallucination distribution for those names, then preemptively register the hallucinated variants to host malicious prompts.
  • When an AI agent attempts to clone a repository or install a skill, the LLM hallucinates the wrong name, fetches the attacker-controlled resource, and executes embedded promptware — establishing remote code execution or tool invocation attacks.
  • The attack is transferable across foundational models: hallucinations transfer between GPT, Claude, Gemini, and application layers (Cursor, Windsurf, Copilot, OpenClaw).
  • Attack success rates: 85% for repository cloning, 100% for skill installation across tested agentic applications.
  • Tested against Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline, Gemini CLI, OpenClaw, ZeroClaw, and NanoClaw — all achieved remote tool invocation or full RCE.
  • OpenClaw showed 100% tool invocation success and 40-100% RCE success depending on the underlying model (GPT-5.4 Codex, Sonnet 4.6, Opus 4.6).
  • The paper demonstrates untargeted promptware attacks at scale — attackers can establish botnets by exploiting LLM applications to install bots on devices that "pulled" compromised hallucinated resources.
  • Mitigation requires input validation, resource verification, and sandboxing — but the root cause (LLM hallucination) is not fully fixable by vendors.

Why It Matters

This research exposes a fundamental tension in agentic AI: the same hallucination capability that makes LLMs useful (generating plausible resource names, inferring intent) becomes a supply-chain vulnerability when agents autonomously fetch and execute external resources. Unlike traditional typosquatting, which requires user typos, HalluSquatting exploits the model's internal probability distribution — the agent itself generates the "wrong" name without user error. This makes the attack scalable and untargeted, enabling botnet-style exploitation across thousands of developer environments.

What To Do

  • Verify resource existence before cloning or installation — agents should check repository/skill registries rather than trusting hallucinated names.
  • Sandbox agent execution — isolate tool invocations and file system access to limit blast radius when hallucinations lead to malicious resources.
  • Log and audit hallucinated resource names — monitor for attempts to fetch non-existent repositories or skills, which may indicate squatting attacks.
  • Implement allowlists for critical operations — restrict agent access to verified, trusted resource registries rather than open internet fetches.

Sources