AI coding assistants have a habit of making things up. Ask one to fetch a popular tool, and it will sometimes hand back a real-sounding name for a project that does not exist.
New research, which its authors call HalluSquatting, turns that habit into an attack: work out the fake names an AI reliably invents, register them first, and wait for the assistant to fetch your trap on a user’s behalf.
Anyone whose AI assistant can fetch an outside resource and then run commands with little human review is exposed. In tests, that path led the assistant to run attacker-supplied code on the machine.
Repeat it with a popular enough resource, and one planted name can reach many machines, which is why the researchers frame it as a way to assemble a botnet.
How it works
The attack chains two AI quirks. The first is a hallucination: an AI making something up and presenting it as real. The second is a prompt injection: a booby-trapped instruction that hijacks the AI, so it follows an attacker instead of the user.
Here, the injection is the indirect kind, riding in on content the assistant fetches rather than anything the user types.
- Pick a target. The attacker finds a repository or plugin that is trending, so lots of people are asking their AI to fetch it. Trending matters, because a brand-new resource is not in the AI’s training data, which is exactly when the model starts guessing at names.
- Learn the mistake. The attacker asks an AI to fetch that resource over and over and records the fake name it invents most often.
- Claim the fake name. The attacker registers that name on GitHub or a plugin store and hides adversarial instructions inside it.
- Wait. A real user asks their assistant to grab the popular resource. The assistant invents the same fake name and pulls in the attacker’s version instead. Its hidden instructions fold into what the assistant thinks it was told to do, and the hijacked assistant uses its own command-running tool to carry them out.
The trap is not code that runs by itself. It works because these assistants keep a terminal among their built-in tools, so once the planted instructions take over, “install a bot” is simply something the assistant can do.
What makes it practical is that the fake names are not random. In the researchers’ experiments, the mistake was consistent: across different phrasings and across models from different companies, the assistant reached for the same wrong name in up to 85% of repository requests and 100% of skill installs. Those are the peak rates the authors report; the paper carries the full breakdown.
They ran it against tools including Cursor, Windsurf, GitHub Copilot, Cline, Google’s Gemini CLI, and the OpenClaw family of assistants, getting each to run attacker code. The test payloads were harmless placeholders, not real malware; a live one would take the same path.
The research comes from Aya Spira and colleagues in Ben Nassi’s group at Tel Aviv University, with Stav Cohen at…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]

