Particle.news

HalluSquatting Lets Attackers Use AI Coding Assistants to Seed Botnets

A July 8 research report shows attackers can predict model-made package names, register them, and rely on agents that fetch and auto-run code unless platforms add live checks or block unattended installs.

Overview

  • Researchers from Tel Aviv University and partners published findings on Wednesday that describe a pull-based prompt-injection technique named HalluSquatting and say they told vendors before going public.
  • The attack exploits a persistent model flaw: coding assistants routinely invent plausible repository or package names, and attackers can pre-register those names and seed them with malicious install instructions.
  • Tests against nine popular agents, including Cursor, GitHub Copilot, Gemini CLI, and Windsurf, showed high consistency in hallucinated names—up to about 85% for repos and 100% for some skill installs—making prediction practical.
  • The danger grows because many agents include built-in terminals or command tools that can run fetched commands with little human review, letting a planted package trigger reverse shells or bot installs on a developer’s machine.
  • Researchers and defenders say standard prompt filters and dependency scanners miss HalluSquatting and recommend live registry existence and trust checks, marketplace controls, and disabling unattended auto-run as the most effective fixes.