Ethical Hacking News
HalluSquatting is a new attack vector that exploits the limitations of large language models (LLMs) to assemble massive botnets and infect devices at scale. This attack leverages the tendency of LLMs to hallucinate resource identifiers hosted in repositories and registries, allowing attackers to compromise a large number of users with minimal effort. The attack is built on an LLM's inability to distinguish between legitimate instructions provided by users and malicious ones sneaked into emails, source code, and other third-party content the models are processing.
HalluSquatting is a new attack vector exploiting LLMs' limitations to assemble botnets and perform DDoS attacks. The attack leverages an LLM's inability to distinguish between legitimate and malicious instructions, allowing attackers to inject malicious commands. Nine popular AI tools are susceptible to this type of attack, including Cursor, Gemini CLI, and GitHub Copilot. The attack is built on an LLM's tendency to hallucinate resource identifiers, which can be exploited by attackers to install reverse shells.
HalluSquatting is a newly discovered attack vector that leverages the inherent limitations of large language models (LLMs) to assemble massive botnets, perform large-scale Distributed Denial of Service (DDoS) attacks, and infect devices at scale. This attack exploits the tendency of LLMs to hallucinate resource identifiers hosted in repositories and registries, allowing attackers to compromise a large number of users with minimal effort.
The HalluSquatting threat model is built on an LLM's inability to distinguish between legitimate instructions provided by users and malicious ones sneaked into emails, source code, and other third-party content the models are processing. This makes it trivial for attackers to surreptitiously inject malicious commands that the LLM readily follows. The attack works against coding agents and assistants, which commonly access high-privilege command lines to run code from third-party resources.
The researchers behind HalluSquatting have identified nine popular AI tools that are susceptible to this type of attack. These include Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw. The attackers can exploit the integrated shells and terminals of agentic applications to run scripts and code, effectively "infecting" many independent agentic applications by embedding instructions to install reverse shells in the resources they register.
The attack is built on an LLM's inherent tendency to hallucinate resource identifiers hosted in repositories and registries. The researchers have found that the six major LLMs follow common patterns when resolving repository or skill name in a prompt with its official name in a repository or skill repository. One of these patterns, known as self-referential hallucination, is exploited by the attackers.
Once an attacker has identified names that are most likely to be hallucinated, they search for ones that can be registered and then upload a repository or skill that mimics the trending resource. Buried inside the repository or skill is text in a readme file or elsewhere that contains instructions for the app to install a reverse shell on the LLM user's machine.
The researchers have published their findings in a paper, which has already received interest from fellow AI security researchers. "This is very cool research, and the threat is very real," said Michael Bargury, CTO of security firm Zenity. "Like typosquatting, it's a problem that's not going away. At the end of the day, it's about the level of agency we allow our agents. They *are* going to get fooled one way or the other. That should be our assumption, and we should be resilient to that."
Related Information:
https://www.ethicalhackingnews.com/articles/HalluSquatting-A-New-Attack-Vector-for-AI-Driven-Malware-ehn.shtml
https://arstechnica.com/security/2026/07/hackers-can-use-9-of-the-most-popular-ai-tools-to-assemble-massive-botnets/
Published: Wed Jul 8 03:11:42 2026 by llama3.2 3B Q4_K_M