Ask an AI coding assistant to pull in a popular tool or code library, and most of the time it gets the address right. But ask for something newer — a repository or "skill" that only started trending recently — and the assistant will frequently guess wrong, and hand back a confident, made-up answer instead of admitting it doesn't know. Researchers have now shown that wrong guess is predictable enough to weaponize: register the exact fake address the AI is most likely to invent, poison it, and wait. They call the technique HalluSquatting, and they've demonstrated it works against nine of the most widely used AI coding tools.

What it actually does. Every AI coding assistant occasionally "hallucinates" — states something false with total confidence. Researchers at Tel Aviv University, the Technion, and Intuit measured exactly how often that happens when an assistant is asked to fetch a specific code repository or "skill" (a packaged set of instructions that gives an AI agent new capabilities). For repositories published before 2019 — well inside the AI's training data — the hallucination rate was under 1%. For repositories from 2025, trending but too new to be reliably memorized, the models got the address wrong an average of 92.4% of the time, and up to 100% of the time for some "skills." Critically, the wrong guesses weren't random: across six major AI models, the same mistaken address came up again and again, because the models share a common failure pattern — commonly guessing the repository's own name as if it were also the publisher's name.

The attack. If the wrong answer is predictable, an attacker doesn't need to trick anyone individually. They can identify the exact fake address an AI is likely to invent, register it before anyone else does, and load it with instructions — sometimes buried in a plain-text readme file — to install a reverse shell, the kind of backdoor that hands an attacker remote control of a machine. The coding assistant, following what looks like a normal instruction from a resource it just fetched, does the installing itself. No phishing email, no individually targeted victim — just an assistant doing its job and getting steered somewhere it was never supposed to go.

Why it scales differently than past attacks. Most prompt-injection attacks up to now have had to be aimed at someone — a poisoned calendar invite, a booby-trapped email — which limits how many victims a single attack can reach. HalluSquatting doesn't need a target. Because the false address is baked into how the AI models themselves work, one poisoned repository can be reached by any user, on any of the nine tools, who happens to ask their assistant for the same trending resource. Researchers say that structure could, in principle, be used to build a large-scale botnet, run mass ransomware campaigns, or hijack computing power for cryptocurrency mining — the same categories of damage tied to established botnets like Mirai.

The nine tools. The researchers demonstrated the technique works against Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw — a cross-section of the most widely used AI coding assistants and agents on the market, spanning six different underlying AI models.

What this is not. This is demonstrated capability, not an observed attack. The researchers responsibly disclosed the technique to the affected companies and AI developers before publishing, and instead of planting real malware, they registered a harmless test repository and a harmless test "skill" to prove the mechanism works — no live reverse shells, no real victims. The researchers’ own name for the technique — "adversarial hallucination squatting" — is a deliberate nod to "typosquatting," where a fake package name mimics a real one; here the same trick is aimed at a target that can’t help but guess wrong on its own. The mechanism doesn’t rest on one team’s say-so: the underlying paper documents the hallucination rates and the responsible disclosure, and the work was picked up across the security press within days of release.

What actually fixes this. The researchers didn't just find the hole — they published specific proposals for closing it, aimed at two different groups.

For the companies that build the AI tools themselves, the fix starts with a workflow change: have the assistant search for a resource and confirm it's real before it fetches and runs anything, rather than fetching on a hallucinated guess. The researchers found that requiring a search step first "substantially reduces hallucination rates," and they suggest builders train their AI's planning logic with examples that model that search-before-retrieve pattern, plus add automated checks that flag when a request is about to fetch and run something without having verified it first.

For the platforms that host the code — GitHub, ClawHub, and similar registries and marketplaces — the researchers propose two fixes that could be used together. One: make resource names globally unique, so an attacker can't register a popular project's name under a different account and have it look legitimate. Two, borrowed directly from how the industry already fights typosquatting: platforms can preemptively register the exact names an AI is likely to hallucinate, before an attacker does, and simply redirect them to the real resource — turning the predictability that makes the attack work into the thing that defuses it.

None of these fixes are in place yet. They're published recommendations, not deployed protections — which is exactly why the "Do It Now" advice below is aimed at you, not just the companies.

✅ Do It Now

  • Treat a brand-new trending repository or "skill" the way you'd treat a link from a stranger. If your AI assistant is about to install something published in the last few months, don't just accept the address it gives you — verify the actual publisher/owner on the real platform (GitHub, a marketplace) before letting the assistant run anything.
  • Older, established code is safer by this research's own numbers — pre-2019 repositories were almost never hallucinated. The newer and more "trending" a resource is, the more scrutiny it needs, not less.
  • If you run any of the nine named tools (Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, NanoClaw), watch for vendor security advisories — the researchers disclosed to the makers before publishing, so patches or warnings may follow.

This is journalism about a security research disclosure, not a warning of an active, ongoing attack. As of publication, this is a demonstrated, responsibly disclosed technique — not a confirmed real-world botnet.

The Receipts

BL:UF doesn't ask you to trust us. Check our work:

Full reporting: "HalluSquatting" weaponizes LLMs' inability to say "I don't know" — Dan Goodin, Ars Technica, July 8, 2026: arstechnica.com/security/2026/07/hackers-can-use-9-of-the-most-popular-ai-tools-to-assemble-massive-botnets

Primary research site (Spira, Feldman, Wool, Nassi — Tel Aviv University; Cohen — Technion; Bitton — Intuit), including the hallucination-rate data and responsible-disclosure statementsites.google.com/view/agentic-botnets/home