Full Report
AI coding assistants have a habit of making things up. Ask one to fetch a popular tool, and it will sometimes hand back a real-sounding name for a project that does not exist. New research, which its authors call HalluSquatting, turns that habit into an attack: work out the fake names an AI reliably invents, register them first, and wait for the assistant to fetch your trap on a user's
Analysis Summary
# Tool/Technique: HalluSquatting
## Overview
HalluSquatting is a novel supply chain attack technique that exploits the deterministic nature of Large Language Model (LLM) hallucinations. Attackers identify fake resource names (GitHub repositories, npm packages, or plugins) that AI coding assistants consistently invent when asked for non-existent or trending tools. By pre-registering these "hallucinated" names on public marketplaces and embedding malicious instructions, attackers can trick AI agents into automatically fetching and executing arbitrary code, effectively building a cross-platform botnet.
## Technical Details
- **Type**: Technique (Supply Chain Attack / AI Exploitation)
- **Platform**: Cross-platform (Windows, Linux, macOS) via AI agents and execution environments (Terminals, IDEs).
- **Capabilities**: Remote Code Execution (RCE), Botnet recruitment, Indirect Prompt Injection.
- **First Seen**: July 2026 (Research published by Tel Aviv University and Technion researchers).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools]** (Registering hallucinated package names)
- **[TA0002 - Execution]**
- **[T1059 - Command and Scripting Interpreter]** (AI assistants using terminal tools to run commands)
- **[TA0005 - Defense Evasion]**
- **[T1566.004 - Phishing: Indirect Prompt Injection]** (Embedding malicious instructions in fetched content)
## Functionality
### Core Capabilities
- **Deterministic Hallucination Exploitation**: Leverages the high probability (up to 100% in certain cases) that different AI models will hallucinate the exact same fake name for a requested resource.
- **Indirect Prompt Injection**: Malicious instructions are hidden within the registered "hallucinated" project. When the AI fetches the project, it interprets the embedded text as legitimate instructions to follow.
- **Automated Execution**: Exploits the "agentic" capabilities of modern coding assistants (like Cursor or Windsurf) which have built-in terminal tools and authorization to execute commands.
### Advanced Features
- **Cross-Platform Botnet Assembly**: Unlike traditional malware targeting specific OS vulnerabilities, the payload is initially text/instructions interpreted by the AI, making it effective against any environment where an AI agent is active.
- **Marketplace Persistence**: Attackers "squat" on names in popular repositories (GitHub) and package managers (npm, Skill stores) to catch high-volume user traffic.
## Indicators of Compromise
- **File Names**: `react-codeshift` (referenced historical example of "slopsquatting").
- **Network Indicators**: Requests from AI assistant processes to newly registered or suspicious GitHub repositories/npm packages that do not correlate with official documentation.
- **Behavioral Indicators**:
- Unexpected `npm install` or `git clone` commands initiated by AI agent processes.
- AI assistant attempting to open a terminal and execute shell scripts immediately after fetching external content.
## Associated Threat Actors
- **Research Group**: Aya Spira, Stav Cohen, Ron Bitton, and Ben Nassi (Academic discovery).
- **In-the-wild**: While research-focused, the technique is a progression of "Slopsquatting" used by generic supply chain attackers.
## Detection Methods
- **Behavioral Detection**: Monitoring for AI assistant processes (e.g., `Cursor.exe`, `VSCode` extensions) spawning shell processes or execution commands without explicit user "Run" confirmation.
- **Proxy/Egress Filtering**: Flagging connections to recently created code repositories or packages that have low star counts/downloads but match common LLM hallucination patterns.
- **Prompt Monitoring**: Detection of "Adversarial instructions" within data fetched by the LLM before it is processed by the agent's controller.
## Mitigation Strategies
- **Human-in-the-loop**: Disable "auto-execute" or "agentic" modes in AI assistants that allow the tool to run terminal commands without manual confirmation.
- **Dependency Verification**: Manually verify the existence and legitimacy of a library or repository before allowing an AI to fetch it.
- **Model Hardening**: Implement Guardrails at the LLM provider level to detect and flag potential hallucinations in resource names.
- **Marketplace Cleanup**: Registry operators (GitHub, npm) should monitor for "squatting" on names frequently generated by popular LLMs.
## Related Tools/Techniques
- **Slopsquatting**: The broader practice of squatting on AI-hallucinated package names.
- **Typosquatting**: Registering common misspellings of popular packages.
- **AI Worms (Morris II)**: Self-spreading malicious prompts.
- **Targeted Tools**: Cursor, Windsurf, GitHub Copilot, Cline, OpenClaw, Gemini CLI.