Security researchers have uncovered a new attack vector called HalluSquatting that exploits a fundamental weakness in large language models: Their tendency to hallucinate when faced with unfamiliar terms. By generating fake GitHub repository names for recently published code, attackers can trick AI agents into downloading and executing malicious software, potentially compromising thousands of machines in a single campaign.

What You Need to Know

HalluSquatting exploits the inability of LLMs to recognize recent code repositories not in their training data, causing them to hallucinate plausible but malicious URLs. Researchers found hallucination rates as high as 92.4% for 2025 repositories, with models like Claude Opus 4.5 affected. The attack is universal and transferable across different AI agents, including coding assistants like Cursor and OpenClaw.

How HalluSquatting Works

The attack targets a vulnerability in how AI models handle unknown references. When an LLM encounters a term like WindowsTelemetryOff from a recent GitHub repository, it generates a plausible URL using patterns such as owner/repository. Attackers anticipate these patterns and create malicious repositories with names including SuperHacker/WindowsTelemetryOff or WindowsTelemetryOff/WindowsTelemetryOff. They also include typo-squatting variants. When a coding agent is asked to run a script from that repository, it may hallucinate the malicious URL and execute the code without verification. Once the attacker's code runs on the user's machine, the consequences are severe.

  • Reverse shell access: Attackers gain remote command line control over the compromised machine.
  • Data theft: Passwords and sensitive information can be siphoned from the user's account.
  • Resource hijacking: Crypto miners or other malware can be installed on the victim's system.

Affected Systems and Success Rates

The research team tested several popular coding assistants, including Cursor, Gemini CLI, Copilot, and OpenClaw. Success rates for HalluSquatting ranged from 20% to 35% on Cursor and others but surged to nearly 80% to 100% on OpenClaw and its variants. The exploit is universal and requires no per-bot customization. Every single model tested, including Anthropic's Claude Opus 4.5, showed vulnerability. The mean hallucination rate for names of sample GitHub repositories published in 2025 is 92.4%, while repositories from 2019 or earlier had a 0.9% hallucination rate, still a concerning figure.

Why This Matters

The implications of HalluSquatting extend beyond individual compromises. One malicious repository can attract tens of thousands of AI agents, creating a botnet of compromised agents under attacker control. This attack undermines the trust placed in AI-powered coding assistants, which are increasingly granted broad system permissions for convenience. And the exploit mechanism does not need to be crafted specifically for any bot; the researchers' results show it is universal and transferable. The most effective mitigation involves adjusting workflows: instructing bots to always run web searches before installing software and providing them with additional context. Cybersecurity professionals have long advocated for restricting the access level granted to AI agents, yet many users still grant wide-ranging permissions to make development easier.