HalluSquatting: When Your AI Assistant Hallucinates a Package Name at 100% and an Attacker Already Registered It. That's Not a Typo Botnet — It's a Pull-Based One.
- Patrick Duggan
- 3 minutes ago
- 4 min read
There is a category of attack that only became possible when developers started letting AI assistants fetch things for them, and this week researchers gave its nastiest form a name: HalluSquatting. The premise is almost too simple. Large language models, asked to write code or set up a project, confidently invent the names of packages, repositories, and plugins that do not exist. They do it a lot — the new research measured hallucination rates as high as 85 percent when cloning repositories and up to 100 percent in certain skill-installation tasks. An attacker does not need to trick your assistant into anything. They just need to find out which names it tends to invent, register those names first, and wait. The next time any agent hallucinates its way to that name and installs it, the machine is compromised.
Why this is a botnet, not a typo
We have covered the front half of this before. On July 1 we wrote "AI Hallucinates a Domain for Your Brand. An Attacker Registers It Before You Do" — Unit 42's Phantom Squatting work, where the invented artifact was a web domain. HalluSquatting is the same mechanism aimed at the software supply chain instead of the browser, and the research team — Aya Spira, Stav Cohen, Elad Feldman, Ron Bitton, Avishai Wool, and Ben Nassi, out of Tel Aviv University, the Technion, and Intuit — draw the line that makes it dangerous at scale.
Classic prompt injection is a bespoke crime. You have to get your poisoned instruction in front of a specific target — hide it in an email, a calendar invite, a web page the victim's agent will read. HalluSquatting needs none of that. It is untargeted and pull-based: the attacker never has to reach the victim, because the victim's own agent reaches out and pulls the poisoned package during normal work. Register one hallucinated name and you compromise every agent that independently hallucinates its way to it. That is the propagation model of a botnet — one planted resource, many self-delivering victims — and the researchers demonstrated exactly that, building a botnet of machines that were remotely controllable after the malicious install. The hallucinations even transfer across different models and applications, so a name one assistant tends to invent, others tend to invent too. One squat, broad reach.
Why we are unusually well-placed on this one
Most of the industry is going to write the alarming version of this story. We would rather point at the part of it we already defend. HalluSquatting ends the same way every supply-chain attack ends: with a package that should not be trusted getting installed. And a curated deny-list of known-malicious packages is exactly the control that stops it at the install step, whether the name arrived via a human typo, a slopsquatting guess, or an AI hallucination — the delivery mechanism does not change what has to be blocked.
That is a feed we already run. Our malicious-package deny-list pulls curated, named-not-heuristic known-bad packages across npm and PyPI — hundreds of thousands of them — and serves them so a build or a pre-install hook can fail on a name-and-version match before the code ever executes. It does not care whether your developer typed the bad name or your agent dreamed it up. The hallucination is a new on-ramp to an old highway, and we have been watching that highway.
What to do
Do not let an AI coding assistant install a dependency you have not confirmed exists on its official registry. That sounds obvious until you remember these tools are optimized to keep momentum, and a hallucinated pip install slides by in a wall of green output. Pin your dependencies, and check any new package name the assistant proposes against the real registry and against a malicious-package feed before it lands — the check costs a second and the miss costs the machine. Treat "the AI suggested it" as carrying no trust at all; the assistant that invents a name has no idea whether the name is real, let alone safe. And if you run agents that clone repositories or install skills on their own initiative, sandbox them, because a 100 percent hallucination rate on skill installs means that path is not an edge case — it is the common case.
Held to about ninety-five percent. The research is the work of the Tel Aviv University, Technion, and Intuit team, and naming the mechanism is a real contribution — you cannot defend a thing you cannot say out loud. What we add is that the endpoint is familiar ground: a hallucinated name is a new way to arrive at a malicious install, and the block belongs where it always has, at the package, one second before it runs.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
