HalluSquatting — Agentic Botnets via LLM Hallucinated Resource Names
AI relevance: LLM hallucinations create a new supply-chain attack surface — attackers register resources matching hallucinated names to achieve remote code execution against AI coding assistants at scale.
- Researchers from Tel Aviv University, Technion, and Intuit introduced adversarial hallucination squatting — a technique that weaponizes LLMs' tendency to hallucinate resource identifiers (repository names, skill names, package names).
- Attackers identify trending resources (popular repos, skills), compute the LLM's hallucination distribution for those names, then preemptively register the hallucinated variants to host malicious prompts.
- When an AI agent attempts to clone a repository or install a skill, the LLM hallucinates the wrong name, fetches the attacker-controlled resource, and executes embedded promptware — establishing remote code execution or tool invocation attacks.
- The attack is transferable across foundational models: hallucinations transfer between GPT, Claude, Gemini, and application layers (Cursor, Windsurf, Copilot, OpenClaw).
- Attack success rates: 85% for repository cloning, 100% for skill installation across tested agentic applications.
- Tested against Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline, Gemini CLI, OpenClaw, ZeroClaw, and NanoClaw — all achieved remote tool invocation or full RCE.
- OpenClaw showed 100% tool invocation success and 40-100% RCE success depending on the underlying model (GPT-5.4 Codex, Sonnet 4.6, Opus 4.6).
- The paper demonstrates untargeted promptware attacks at scale — attackers can establish botnets by exploiting LLM applications to install bots on devices that "pulled" compromised hallucinated resources.
- Mitigation requires input validation, resource verification, and sandboxing — but the root cause (LLM hallucination) is not fully fixable by vendors.
Why It Matters
This research exposes a fundamental tension in agentic AI: the same hallucination capability that makes LLMs useful (generating plausible resource names, inferring intent) becomes a supply-chain vulnerability when agents autonomously fetch and execute external resources. Unlike traditional typosquatting, which requires user typos, HalluSquatting exploits the model's internal probability distribution — the agent itself generates the "wrong" name without user error. This makes the attack scalable and untargeted, enabling botnet-style exploitation across thousands of developer environments.
What To Do
- Verify resource existence before cloning or installation — agents should check repository/skill registries rather than trusting hallucinated names.
- Sandbox agent execution — isolate tool invocations and file system access to limit blast radius when hallucinations lead to malicious resources.
- Log and audit hallucinated resource names — monitor for attempts to fetch non-existent repositories or skills, which may indicate squatting attacks.
- Implement allowlists for critical operations — restrict agent access to verified, trusted resource registries rather than open internet fetches.