Security researchers have uncovered a new attack vector called HalluSquatting that exploits a fundamental weakness in large language models: Their tendency to hallucinate when faced with unfamiliar terms. By generating fake GitHub repository names for recently published code, attackers can trick AI agents into downloading and executing malicious software, potentially compromising thousands of machines in a single campaign.
How HalluSquatting Works
The attack targets a vulnerability in how AI models handle unknown references. When an LLM encounters a term like WindowsTelemetryOff from a recent GitHub repository, it generates a plausible URL using patterns such as owner/repository. Attackers anticipate these patterns and create malicious repositories with names including SuperHacker/WindowsTelemetryOff or WindowsTelemetryOff/WindowsTelemetryOff. They also include typo-squatting variants. When a coding agent is asked to run a script from that repository, it may hallucinate the malicious URL and execute the code without verification. Once the attacker's code runs on the user's machine, the consequences are severe.
Affected Systems and Success Rates
The research team tested several popular coding assistants, including Cursor, Gemini CLI, Copilot, and OpenClaw. Success rates for HalluSquatting ranged from 20% to 35% on Cursor and others but surged to nearly 80% to 100% on OpenClaw and its variants. The exploit is universal and requires no per-bot customization. Every single model tested, including Anthropic's Claude Opus 4.5, showed vulnerability. The mean hallucination rate for names of sample GitHub repositories published in 2025 is 92.4%, while repositories from 2019 or earlier had a 0.9% hallucination rate, still a concerning figure.
Why This Matters
The implications of HalluSquatting extend beyond individual compromises. One malicious repository can attract tens of thousands of AI agents, creating a botnet of compromised agents under attacker control. This attack undermines the trust placed in AI-powered coding assistants, which are increasingly granted broad system permissions for convenience. And the exploit mechanism does not need to be crafted specifically for any bot; the researchers' results show it is universal and transferable. The most effective mitigation involves adjusting workflows: instructing bots to always run web searches before installing software and providing them with additional context. Cybersecurity professionals have long advocated for restricting the access level granted to AI agents, yet many users still grant wide-ranging permissions to make development easier.



