Researchers warn AI coding agents can be turned into botnet entry points
A new study says hallucinated software locations let attackers seed malicious repositories that popular AI coding tools may fetch and run.
By James Whitfield · Staff Writer
3 min read
Security researchers say a new prompt-injection technique could let attackers compromise machines through AI coding assistants at broad scale. The risk centers on tools that can fetch software resources and run commands from integrated terminals, giving a bad repository more than a chance to mislead a chatbot.
The technique, named HalluSquatting by its creators, targets a weakness in large language models: they often invent repository or resource locations when asked to retrieve newer projects. According to researchers Aya Spira, Elad Feldman, Avishai Wool and Ben Nassi of Tel Aviv University, Stav Cohen of Technion, and Ron Bitton of Intuit, an attacker can predict those invented locations, register them, and fill them with malicious instructions or code.
The researchers said the attack affects AI coding assistants and agents including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw and NanoClaw. These products commonly pull code, scripts or other resources from online repositories as part of developer work.
Prompt injection has become a central problem in AI security because models can treat malicious text inside outside material as if it were a valid instruction. Earlier attacks often required an attacker to send poisoned content to each intended victim, such as through an email or calendar item. HalluSquatting is different because it waits for agents to seek out a resource and land on the attacker’s planted version.
The name refers to adversarial hallucination squatting and echoes typosquatting, where attackers register look-alike package or domain names. In this case, the misleading name may come from the model rather than from a developer mistyping it.
According to the paper, the researchers found that LLMs can fail at identifying the correct location of newer resources at high rates. They reported that when a developer asks an agent to clone a popular new repository, models may hallucinate the location up to 85% of the time. For trending agent “skills,” which are resources that add specialized capabilities, the study found hallucinations can occur 100% of the time.
The researchers tested six foundation models: Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5 and Opus-4.5. They said repositories published before 2019 had a mean hallucination rate of 0.9%, while repositories published in 2025 had a mean hallucination rate of 92.4%.
One recurring pattern was self-referential naming, where a model treats the repository name as the account owner as well. The researchers said all six models produced that kind of owner/repository slug, and that exploiting the pattern would not require probing a model first.
After identifying likely hallucinated names, an attacker could register available accounts or resources and upload a repository that resembles the intended one. The malicious material could include instructions in a readme file telling the agent to install a reverse shell, or it could contain the code needed to do so. Because coding agents may have terminal access, the researchers warned they could execute those steps on the user’s machine.
The paper said this could support botnets, distributed denial-of-service attacks, cryptocurrency mining or broader ransomware activity by giving attackers control over many separate systems. The researchers described the appeal for attackers as high scale with limited effort, especially when targeting trending resources that many agents may request over a short period.
Other AI security researchers said the attack model is credible. Michael Bargury, chief technology officer at Zenity, told Ars Technica that the threat is real and compared it to typosquatting as an ongoing class of risk. Independent researcher Johann Rehberger said the work shows that LLM resource resolution can become an attack path when attackers find names that models are likely to confuse.
The findings add another operational burden for developers using AI agents. The researchers’ work indicates that users must verify the exact location and owner of resources before allowing an assistant to fetch and run them, especially for new or fast-rising projects that may not be represented accurately in a model’s training data.
This story draws on original reporting from Ars Technica.