Hackers can now use nine of the most popular AI coding assistants to assemble massive botnets, according to new research. The attack, called HalluSquatting, exploits the tendency of large language models (LLMs) to hallucinate resource identifiers, allowing attackers to register and seed malicious repositories that can be accessed by these assistants. This method enables large-scale infections without needing to target each device individually. The attack works against tools like Cursor, GitHub Copilot, and Gemini CLI, which are all susceptible to this form of exploitation. Source: arstechnica

The HalluSquatting attack is based on the inherent inability of LLMs to accurately identify the location of resources specified by users. When a developer instructs a coding agent to clone a repository, the LLM often hallucinates its correct location up to 85% of the time. This flaw is especially pronounced with trending resources, which are not included in the LLM training data and receive a high number of downloads in a short period. The researchers found that all six of the major LLMs, including Gemini-2.5-flash and GPT-5.1, exhibit this behavior, making them vulnerable to the attack. Source: arstechnica

The researchers noted that the attack leverages the self-referential hallucination pattern, where LLMs treat the repository name as the owner. This makes it possible for attackers to register and seed malicious repositories that mimic popular ones. Once an attacker identifies names likely to be hallucinated, they can register and upload a repository or skill that contains instructions for the app to install a reverse shell on the user's machine. This method allows attackers to infect large numbers of devices without needing to target each one individually. Source: arstechnica