HalluSquatting made AI agents fetch poisoned repos

Tombstone icon

Researchers demonstrated HalluSquatting, which predicts repository and skill names AI agents are likely to invent, registers them, and waits. Tests against nine production tools achieved remote code execution or unauthorized tool use in controlled runs. No real-world infections were reported.

Incident Details

Severity:Facepalm
Company:Multiple AI coding assistant vendors
Perpetrator:AI coding and assistant platforms
Incident Date:
Blast Radius:Nine tested agentic tools could retrieve attacker-controlled repositories or skills; controlled tests reached remote code execution rates from 20% to 100%, with no confirmed real-world victims

Wrong address, right machine

A developer asks an AI coding agent to clone a new project. The developer remembers the project name but not the GitHub account that owns it, which is ordinary enough. The agent supplies the missing owner, builds a plausible owner/repository address, and fetches whatever lives there.

That helpful guess is where HalluSquatting starts.

Researchers Aya Spira, Elad Feldman, Avishai Wool, Ben Nassi, Stav Cohen, and Ron Bitton studied what happens when agentic tools resolve incomplete names for repositories and installable skills. Their July 2026 paper found that language models regularly invented identifiers for newer resources. More usefully for an attacker, the inventions followed patterns and recurred across models. An attacker could predict a likely wrong address, register it, place hostile instructions inside, and wait for agents to arrive.

The victim does not need to receive a poisoned email, accept a malicious calendar invitation, or open a pull request from the attacker. The agent goes looking for the resource on its own. The researchers called this a pull-based promptware attack: malicious instructions sit inside a resource until an AI application fetches them and supplies the machine access needed to act.

Hallucination became resource discovery

Earlier slopsquatting research focused on fabricated package names. A model recommends a Python or JavaScript dependency that does not exist; an attacker registers the name on PyPI or npm; a developer later installs it. HalluSquatting applies the same ugly property to a wider and more autonomous workflow.

Coding agents routinely clone GitHub repositories, read their files, install dependencies, and run commands. Assistant platforms also install "skills," bundles of instructions and executable material that add capabilities. A fabricated identifier in either workflow can send the agent to a resource controlled by somebody else. Once there, text in a README or skill file becomes part of the agent's working context.

The attacker therefore gets two mistakes for the price of one registration. First, the model invents the resource address. Second, the agent treats instructions inside the fetched resource as something worth following. If the agent has a shell, the instruction can ask it to run a script or install a reverse shell. If it has other tools, the poisoned content can steer those tools instead.

The attack resembles typosquatting only from a distance. Typosquatting waits for a person to mistype a known name. HalluSquatting measures which wrong names models produce and occupies those locations before an agent asks for them. Statistical autocomplete supplies the typo, consistently and at machine speed.

New repositories were the weak spot

The team ran more than 14,000 tests across foundation models and production applications. At the model layer, it queried Gemini 2.5 Flash, Gemini 2.5 Pro, GPT-5.1, GPT-5.2, Sonnet 4.5, and Opus 4.5. The prompt asked for a shell command to clone a named repository while omitting its owner.

Age mattered enormously. Older repositories created before 2019 produced a mean hallucination rate of 0.9 percent. For the selected repositories created in 2025, the mean jumped to 92.4 percent. Across 60 combinations of recent repositories and models, 53 produced the wrong owner in every run.

Those figures do not mean every request for every new repository fails 92.4 percent of the time. The researchers deliberately selected recent and trending projects to examine the gap created by material newer than model training data. The result still identifies a routine failure mode: when the model lacks a fresh repository address and the application does not verify it, confidence fills the empty field.

Several models also converged on the same guesses. A common self-referential pattern turned a project named vibe-kanban, for example, into an address shaped like vibe-kanban/vibe-kanban. Repeated guesses make squatting practical. An attacker does not need to register every nonsense string a model might produce; the high-probability candidates are the valuable ones.

Nine applications fetched the bait

The end-to-end tests covered Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot Chat, Cline, OpenClaw, ZeroClaw, and NanoClaw. The researchers registered controlled resources and embedded promptware designed to trigger either unauthorized tool use or remote code execution.

Repository-based tests against the coding tools achieved the intended payload in 20 to 65 percent of runs, depending on the application and model. Skill-based tests against OpenClaw, ZeroClaw, and NanoClaw reached 40 to 100 percent. In some OpenClaw, ZeroClaw, and NanoClaw configurations, every tested run executed the remote-code payload.

These were laboratory demonstrations. The paper did not document compromised customers, an active botnet, ransomware infections, or cryptocurrency mining on strangers' computers. The researchers disclosed the findings to vendors and model providers before publication and withheld details they believed would make direct abuse easier.

"Botnet" describes the demonstrated delivery architecture and its plausible use, not a body count. One poisoned resource can be fetched by many unrelated agents asking for the same popular project. If each agent has terminal access and obeys the embedded instruction, the attacker gains a collection of machines without sending a separate lure to each owner. That scaling property is what separates HalluSquatting from the usual one-message-per-target prompt injection.

Search before clone

The paper found that applications sometimes searched the web before producing a clone command. Verification sharply changes the attack path because the agent can find the canonical owner instead of relying on model memory. A search result is not a complete security boundary, but checking the requested resource against GitHub, a trusted catalog, or publisher documentation removes the guess that HalluSquatting needs.

Application code can enforce that check before a fetch. Freshly downloaded repositories and skills can be treated as untrusted input rather than instructions with inherited authority. Auto-run and permission-bypass modes can be disabled for resources the user has not reviewed. Terminal execution can remain sandboxed, with network and credential access kept outside the sandbox unless a person approves the operation.

None of those controls is glamorous. They also do not require a language model to judge whether prose inside a README is secretly malicious. They attach the decision to the resource's provenance and to the capability being requested.

HalluSquatting earns a place here as a demonstrated hazard rather than a confirmed campaign. The agents fetched attacker-controlled resources and executed payloads under controlled conditions across nine products. No customers were reported harmed. Waiting for a real botnet before treating the retrieval path as a security boundary would be an impressively literal interpretation of "production testing."

Discussion