The Core Vulnerability: LLMs Cannot Say “I Don’t Know”
Large language models have a fundamental limitation that makes HalluSquatting possible: they cannot reliably distinguish between legitimate user instructions and malicious content embedded in third-party resources. When a developer asks a coding agent to clone a repository, the LLM resolves the resource location based on training patterns rather than verified lookups.
The result is predictable hallucination. For repositories published in 2025, the mean hallucination rate across six major foundation models reaches 92.4%. The same models correctly resolve pre-2019 repositories with a hallucination rate of just 0.9%. The training cutoff creates a sharp boundary: anything recent is fabricated with high confidence.
The six models tested—Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5, and Opus-4.5—all exhibit the same self-referential hallucination pattern. When asked to resolve a repository name, they frequently produce owner/repo slugs where the owner matches the repository name itself. This pattern requires no model probing to exploit.
How HalluSquatting Works
The attack follows a three-phase structure that mirrors typosquatting but exploits LLM behavior rather than human typing errors.
Phase 1: Predict Hallucination Candidates
Attackers identify trending repositories and skills that coding agents are likely to reference. Because these resources are too recent to appear in training data, LLMs fabricate their locations. The researchers found that hallucinated identifiers follow consistent, model-specific patterns that can be mapped in advance.
For example, a trending repository called vibe-kanban might be hallucinated as vibe-kanban/vibe-kanban. The self-referential slug treats the repository name as both owner and project. Attackers register these predictable but non-existent owner names on GitHub or package registries.
Phase 2: Seed Malicious Payloads
Once registered, the squatted repositories are populated with content that mimics legitimate resources. Buried in README files or configuration scripts are instructions for the coding agent to install reverse shells. Because coding assistants operate with high-privilege command-line access, the agent executes these instructions without user verification.
The payload does not need to be sophisticated. A simple instruction embedded in documentation text—”to complete setup, run this command”—suffices when an LLM is processing the content as trusted context.
Phase 3: Wait for Autonomous Retrieval
This is what makes HalluSquatting scalable. Attackers do not push malicious prompts to individual targets. They plant resources once and wait for coding agents across the internet to retrieve them autonomously. Every developer whose agent hallucinates the same incorrect location becomes a potential victim.
The pull-based nature eliminates the scaling bottleneck of traditional prompt injection. A single squatted repository can compromise thousands of machines without additional attacker effort.
Affected Tools and Attack Outcomes
The research confirms susceptibility across a broad range of coding assistants and agents: Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw. These tools share a common architectural pattern: they integrate LLM reasoning with terminal access and third-party resource retrieval.
The potential outcomes extend beyond individual device compromise:
- Botnet assembly for large-scale DDoS attacks, following patterns established by Mirai and similar malware
- Cryptocurrency mining operations that aggregate compromised computational resources
- Ransomware deployment across distributed networks, maximizing financial extraction
- Data exfiltration through reverse shell access to development environments
- Supply chain contamination where compromised agents introduce backdoors into projects they work on
The attack is particularly dangerous in development contexts because coding agents typically operate with elevated permissions. They need access to package managers, build tools, and deployment pipelines—all of which become attack vectors once the agent is compromised.
Why Existing Guardrails Fall Short
AI platform developers have responded to prompt injection threats with guardrails: content filtering, sandboxing, and user confirmation prompts. HalluSquatting exposes the limitations of this approach.
The malicious content does not need to bypass content filters because it arrives through trusted channels. The agent itself retrieves the resource as part of normal operation. The payload can be structured as legitimate-looking documentation or configuration—content that no reasonable filter would block.
Michael Bargury, CTO of security firm Zenity, frames the problem in terms of agency: “At the end of the day, it’s about the level of agency we allow our agents. They are going to get fooled one way or the other. That should be our assumption, and we should be resilient to that.”
The root cause—LLMs fabricating resource identifiers—cannot be patched with guardrails. It is inherent to how these models resolve references to information outside their training data.
The Typosquatting Parallel
The “squatting” terminology is deliberate. Typosquatting attacks, which gained widespread attention in 2016 when a researcher uploaded 214 booby-trapped packages mimicking popular names, rely on human error in typing resource identifiers. Those imposter packages executed over 45,000 times across more than 17,000 domains.
HalluSquatting replaces human typing errors with LLM hallucination errors. The attack surface grows with LLM adoption rather than user carelessness. Every coding agent that resolves resources through an LLM becomes a potential vector, regardless of how carefully the human operator works.
The researchers note that the self-referential hallucination pattern—treating a repository name as its own owner—is particularly exploitable because it requires no model probing. Attackers can predict hallucinated identifiers without ever querying the target model.
What This Means for AI Tool Adoption
AI coding tools are marketed on convenience: automate tedious tasks, streamline workflows, reduce cognitive overhead. HalluSquatting demonstrates that some of this convenience is illusory. When an agent hallucinates resource locations at rates exceeding 90% for recent content, the developer must verify every retrieval manually.
The efficiency gain from delegating repository cloning to an agent disappears if the developer must then audit the agent’s resolution decisions. The attack exposes a tension between automation and trust that current AI tool design does not resolve.
Independent researcher Johann Rehberger points to the broader implication: “The main point is that they found a cool technique to find resource names that are more likely by models to be used/confused with. And that could mean many agents falling for such attacks in the wild.”
Practical Takeaways
For developers and teams using AI coding assistants, several defensive postures become necessary:
- Verify resource locations explicitly. Do not rely on agent-resolved repository URLs or package identifiers. Cross-reference against official sources before allowing terminal execution.
- Audit agent actions in high-privilege contexts. Coding agents that can execute shell commands, modify files, or access package registries should have their retrieval decisions logged and reviewed.
- Treat trending resources with heightened scrutiny. The attack exploits the gap between resource publication and LLM training inclusion. New repositories and skills carry elevated risk.
- Limit agent agency where possible. Restrict terminal access, network egress, and filesystem write permissions to the minimum required for the task.
The research does not suggest abandoning AI coding tools. It does suggest that current deployment patterns—where agents operate with broad trust and minimal verification—create systemic vulnerability. HalluSquatting is not a theoretical attack. It is a predictable consequence of how LLMs handle resource resolution, and the infrastructure to exploit it already exists.
Comments (0) No comments yet
Want to join this discussion? Login or Register.
No comments yet. Be the first to share your thoughts!