Overview
- Researchers from Tel Aviv University and partners published findings on Wednesday that describe a pull-based prompt-injection technique named HalluSquatting and say they told vendors before going public.
- The attack exploits a persistent model flaw: coding assistants routinely invent plausible repository or package names, and attackers can pre-register those names and seed them with malicious install instructions.
- Tests against nine popular agents, including Cursor, GitHub Copilot, Gemini CLI, and Windsurf, showed high consistency in hallucinated names—up to about 85% for repos and 100% for some skill installs—making prediction practical.
- The danger grows because many agents include built-in terminals or command tools that can run fetched commands with little human review, letting a planted package trigger reverse shells or bot installs on a developer’s machine.
- Researchers and defenders say standard prompt filters and dependency scanners miss HalluSquatting and recommend live registry existence and trust checks, marketplace controls, and disabling unattended auto-run as the most effective fixes.