Description

Researchers have demonstrated HalluSquatting, an attack that exploits AI coding assistants' tendency to hallucinate repository, plugin, or package names. Attackers identify fake names that models consistently invent, register those names on platforms like GitHub or plugin marketplaces, and embed prompt injection instructions inside them. When a user asks an AI assistant to fetch a popular resource, the assistant may retrieve the attacker's fake project instead. If the assistant has permission to execute commands automatically, those hidden instructions can cause it to run attacker-controlled code, potentially installing malware. The attack combines predictable hallucinations, indirect prompt injection, and autonomous agent capabilities into a practical supply-chain threat. The attack is particularly effective because hallucinated names exhibit cross-prompt and cross-vendor consistency, making them more likely to recur across AI models. Researchers reported high success rates for these repeated mistakes and demonstrated the technique against several popular coding assistants using harmless proof-of-concept payloads. Unlike traditional botnets that rely on software vulnerabilities, password attacks, or self-propagating malware, HalluSquatting abuses the AI agent as the delivery mechanism. The compromise begins with deceptive text rather than a network exploit, allowing the attack to bypass many conventional security controls before the assistant executes malicious commands. Defending against HalluSquatting primarily requires preventing AI agents from automatically fetching and executing unverified resources. AI systems should search for and validate repository or package names before downloading them instead of guessing. Users and organizations should disable unattended auto-run modes, require approval before command execution, verify that repositories resolve to legitimate sources, and treat AI-generated resource names as suggestions rather than facts. Platform operators can further reduce risk by reserving commonly hallucinated names and restricting reuse of well-known project names, making it harder for attackers to register convincing malicious resources.