HomeEverythingEducation
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
← All Stories

Hackers exploit AI hallucination to build botnets

Created at 8 Jul · 7:11 AM1 source↑ Market-relevant
IN SHORT

Researchers have developed a new attack called HalluSquatting that exploits the tendency of large language models to hallucinate resource identifiers, potentially enabling hackers to assemble massive botnets and conduct large-scale cyberattacks.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Key Numbers

9popular AI tools susceptible to attack
85 percenthallucination rate for popular repositories
100 percenthallucination rate for trending skills
0.9 percenthallucination rate for repositories published before 2019
92.4 percenthallucination rate for repositories published in 2025

Who's Involved

Spira et al.
researchers who developed the HalluSquatting attack
Cursor
AI coding assistant susceptible to HalluSquatting
Cursor CLI
AI coding assistant susceptible to HalluSquatting
Gemini CLI
AI coding assistant susceptible to HalluSquatting
Windsurf
AI coding assistant susceptible to HalluSquatting
GitHub Copilot
AI coding assistant susceptible to HalluSquatting
Cline
AI coding assistant susceptible to HalluSquatting
OpenClaw
AI coding assistant susceptible to HalluSquatting
ZeroClaw
AI coding assistant susceptible to HalluSquatting
NanoClaw
AI coding assistant susceptible to HalluSquatting
Gemini-2.5-flash
foundational LLM susceptible to hallucination
Gemini-2.5-pro
foundational LLM susceptible to hallucination
GPT-5.1
foundational LLM susceptible to hallucination
GPT-5.2
foundational LLM susceptible to hallucination
Sonnet-4.5
foundational LLM susceptible to hallucination
Opus-4.5
foundational LLM susceptible to hallucination
Hackers exploit AI hallucination to build botnets

↳ Why This Matters

This attack represents a significant escalation in AI security threats, moving beyond individual prompt injections to potentially large-scale botnet creation and device compromise, impacting a wide range of AI tools and users.

Key facts

  • A new attack called HalluSquatting exploits AI hallucination to create botnets.
  • The attack targets AI coding assistants and agents like GitHub Copilot and Gemini CLI.
  • Hackers predict and register resource identifiers that LLMs are likely to hallucinate.
  • Malicious code is embedded in these registered resources to install reverse shells.
  • This method allows for large-scale infection without individual targeting.
  • Potential applications include ransomware, DDoS attacks, and cryptocurrency mining.

Hackers can leverage a new attack method called "HalluSquatting" to assemble massive botnets by exploiting the inherent tendency of large language models (LLMs) to hallucinate resource identifiers. This novel pull-based attack targets AI coding assistants and agents, which routinely access external repositories and registries for code and resources. By predicting and registering identifiers that LLMs are likely to hallucinate, attackers can embed malicious instructions, such as reverse shells, within these resources. When an LLM attempts to retrieve a hallucinated resource, it inadvertently downloads and executes the malicious code, leading to widespread device infection without direct targeting. This technique bypasses the scalability limitations of previous prompt injection attacks. The researchers noted that LLMs struggle to accurately identify resource locations, with hallucination rates reaching up to 85% for popular repositories and 100% for trending skills. This flaw is present across major LLMs, including Gemini and GPT models. The attack capitalizes on predictable hallucination patterns, such as self-referential slugs where a repository name is treated as the owner. Attackers can then register these predicted names and seed them with malicious software. The potential consequences include large-scale ransomware campaigns, distributed denial-of-service (DDoS) attacks, and cryptocurrency mining operations. The attack's name is derived from "typosquatting," a similar tactic used to lure users to malicious domains or packages by mimicking popular ones.

Frequently asked questions

HalluSquatting is a new type of cyberattack that exploits the tendency of large language models (LLMs) to hallucinate resource identifiers, enabling hackers to build botnets and infect devices at scale.

AI coding assistants and agents such as Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw are susceptible.

Attackers predict resource identifiers that LLMs are likely to hallucinate, register them, and embed malicious code. When the LLM accesses these resources, it inadvertently installs malware.

The attack could lead to the creation of massive botnets for DDoS attacks, large-scale ransomware campaigns, and cryptocurrency mining.

What Happens Next

01Researchers will continue to study LLM vulnerabilities and develop mitigation strategies.
02AI developers are expected to implement more robust guardrails against such attacks.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

Prompt injection has become a significant threat in AI security.
Existing prompt injection attacks are limited by scale.
Researchers developed a new pull-based attack named HalluSquatting.
HalluSquatting exploits LLMs' tendency to hallucinate resource identifiers.
The attack targets AI coding assistants and agents.
Attackers register predicted hallucinated identifiers with malicious code.
This allows for indiscriminate infection of devices at scale.
HalluSquatting could enable large ransomware campaigns and botnets for DDoS or crypto mining.

Sources

T1
Hackers can use 9 of the most popular AI tools to assemble massive botnetsvar abtest_2162062 = new ABTest(2162062, 'impression');Ars Technica

Related Stories

AI-Generated Soldiers Flood Social Media Feeds
7 Jul · 9:10 AM
China's DeepSeek plans custom chips amid US export controls
7 Jul · 4:21 PM
2026's Worst Data Breaches: From Social Security to Critical Infrastructure
7 Jul · 5:10 PM
Discord AI moderation bug wrongly banned thousands over harmless images
7 Jul · 7:45 PM
Cheap AI Undermining Indonesian Academic Credibility
8 Jul · 3:05 AM