HalluSquatting: AI Coding Assistants Exploited to Deploy Botnet Malware

Artificial intelligence (AI) coding assistants have become invaluable tools for developers, streamlining the coding process and enhancing productivity. However, recent research has unveiled a critical vulnerability in these systems, termed ‘HalluSquatting,’ which cybercriminals can exploit to deploy botnet malware on unsuspecting users’ machines.

AI models, including coding assistants, are known to occasionally generate plausible-sounding but non-existent information—a phenomenon referred to as ‘hallucination.’ In the context of coding assistants, this can manifest as the suggestion of fictitious libraries, packages, or repositories. Malicious actors can capitalize on this by identifying these hallucinated names, registering them as actual domains or packages, and embedding them with malicious code.

The HalluSquatting attack unfolds in several stages:

  1. Identifying Targeted Resources: Attackers monitor trending repositories or plugins that are frequently requested by developers. These popular resources are often not yet included in the AI’s training data, prompting the model to generate approximate or incorrect names.
  2. Determining Common Hallucinations: By repeatedly querying the AI assistant for the desired resource, attackers can identify the most consistent incorrect names generated by the model.
  3. Registering Malicious Entities: Once a common hallucinated name is identified, attackers register it on platforms like GitHub or package managers, embedding malicious instructions within the code.
  4. Exploiting AI Recommendations: When developers rely on their AI assistants to fetch these resources, the assistant may suggest the maliciously registered entity. If the developer proceeds with the installation, the embedded malicious code is executed, potentially compromising the system.

What makes HalluSquatting particularly concerning is the consistency of these hallucinations. Research indicates that across various AI models and different phrasings, the same incorrect names are generated with high frequency—up to 85% for repository requests and 100% for skill installations. This predictability allows attackers to effectively anticipate and exploit these AI-generated errors.

In practical demonstrations, researchers successfully executed HalluSquatting attacks against multiple AI coding assistants, including Cursor, Windsurf, GitHub Copilot, Cline, Google’s Gemini CLI, and the OpenClaw family. These tests involved benign payloads to illustrate the vulnerability, but the same method could be employed to deploy harmful malware.

The implications of HalluSquatting are profound. Unlike traditional botnet formation methods that often require exploiting weak passwords or spreading malware through networks, this technique leverages the inherent behavior of AI systems. By manipulating the AI’s tendency to hallucinate, attackers can induce users to inadvertently install malicious software, effectively turning their machines into nodes within a botnet.

To mitigate the risks associated with HalluSquatting, developers and organizations should exercise caution when relying on AI-generated recommendations, especially for fetching external resources. Implementing verification mechanisms, such as cross-referencing suggested packages with official repositories and maintaining an up-to-date list of trusted sources, can help prevent the inadvertent installation of malicious code.

As AI continues to integrate into various facets of technology, understanding and addressing its vulnerabilities becomes paramount. The HalluSquatting attack underscores the need for ongoing vigilance and the development of robust security measures to safeguard against the exploitation of AI-induced errors.