{"id":4569,"date":"2026-07-13T08:37:05","date_gmt":"2026-07-13T08:37:05","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/07\/13\/hallusquatting-compromises-ai-coding-agents-to-install-malware-create-botnets\/"},"modified":"2026-07-13T08:37:05","modified_gmt":"2026-07-13T08:37:05","slug":"hallusquatting-compromises-ai-coding-agents-to-install-malware-create-botnets","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/07\/13\/hallusquatting-compromises-ai-coding-agents-to-install-malware-create-botnets\/","title":{"rendered":"\u2018HalluSquatting\u2019 Compromises AI Coding Agents to Install Malware, Create Botnets"},"content":{"rendered":"<div><img data-opt-id=723960471  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"330\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2025\/06\/AI-model.jpg\" class=\"attachment-large size-large wp-post-image\" alt=\"\" \/><\/div>\n<p><img data-opt-id=1667573176  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2025\/06\/AI-model-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"\" \/><\/p>\n<p>Hallucinations have been an ongoing problem since OpenAI first introduced its ChatGPT chatbot in November 2022, highlighting generative AI\u2019s tendency to generate plausible but false or misleading information and its inability to just say \u201cI don\u2019t know.\u201d<\/p>\n<p>They can lead to embarrassing or uncomfortable moments. However, security researchers in Israel have found that the large language model (LLMs) <a href=\"https:\/\/techstrong.ai\/features\/ctgt-framework-sharply-reduces-ai-hallucinations-and-misinformation\/\" target=\"_blank\" rel=\"noopener\">hallucinations<\/a> can be weaponized by threat actors to compromise systems and create large botnets.<\/p>\n<p>In a <a href=\"https:\/\/sites.google.com\/view\/agentic-botnets\/home\" target=\"_blank\" rel=\"noopener\">paper<\/a> issued this week, researchers from Tel Aviv University, Technion, and Intuit outlined a technique they call \u201cHalluSquatting,\u201d or adversarial hallucination squatting, in which hackers exploit the predictable tendency of AI models to generate \u2013 hallucinate \u2013 incorrect or non-existent resource identifiers, which can include popular repositories, skills, and software packages.<\/p>\n<p>The threat takes particular advantage of the growing use of AI agents by developers and their ability to not only suggest code but to independently perform tasks, execute commands, work within the system \u2013 from accessing files and retrieving data to writing code to reaching into the web \u2013 often with little or no human intervention.<\/p>\n<h3>Predicting Hallucinations<\/h3>\n<p>In the case of HalluSquatting, a developer makes a task for a coding agent \u2013 grabbing code from a repository or installing a software package. The agent may make up a name for the package that is close to what is asked for but is incorrect.<\/p>\n<p>The researchers found that bad actors can reliably predict the hallucinated names agents likely will create, and then register those names and add malicious code to them. Then they wait. Once the AI coding agent retrieves the hallucinated resource, it pulls the malware into the developer\u2019s system.<\/p>\n<p>\u201cBy leveraging the predictability and transferability of hallucinations across foundational LLMs and application layers, adversaries can significantly amplify the reach of untargeted promptware under weak threat models and establish a botnet by exploiting LLM applications to install a bot on the device that \u2018pulled\u2019 the compromised hallucinated resource from the Internet,\u201d the researchers wrote.<\/p>\n<h3>Attractive Targets<\/h3>\n<p>They added that targeting trending resources is an attractive target for hackers because they \u201censure high request volume from users using their LLM applications. Moreover, popular\/trending resources tend to be recently uploaded resources, which ensures a high hallucination rate by the LLM because they weren\u2019t part of the training set used to train the LLM used by the LLM application.\u201d<\/p>\n<p>They tested the technique against a range of AI coding assistants and agents, including <a href=\"https:\/\/devops.com\/z-ai-debuts-zcode-to-compete-with-github-copilot-cursor-and-anthropic\/\" target=\"_blank\" rel=\"noopener\">GitHub Copilot<\/a>, Google\u2019s Gemini CLI, <a href=\"https:\/\/securityboulevard.com\/2026\/03\/latest-openclaw-security-risk-fake-github-repositories-used-to-deploy-infostealers\/\" target=\"_blank\" rel=\"noopener\">OpenClaw<\/a>, NanoClaw, Windsor, and Cursor. The AI models successfully hallucinated the false names of repositories 85% of the time, with the rate for skill installation hitting 100%.<\/p>\n<p>The report\u2019s authors noted that the high success rates aren\u2019t etched in stone.<\/p>\n<p>\u201cOur findings are only a lower bound on what attackers could do,\u201d they wrote. \u201cAttacks always get better; they never get worse.\u201d<\/p>\n<h3>Exploiting Coding Agent Behavior<\/h3>\n<p>According to the researchers, the growing adoption of agentic applications has brought with it the <a href=\"https:\/\/securityboulevard.com\/2026\/02\/the-promptware-kill-chain\/\" target=\"_blank\" rel=\"noopener\">threat of promptware<\/a>, an AI prompt injection attack in which hidden or pre-written prompts push rogue instructions into an AI assistant.<\/p>\n<p>\u201cWhile prior work has established that adversaries can exploit direct channels to LLM applications to apply promptware under weak threat models (e.g., by sending emails or calendar invitations to a target), many applications do not provide any direct channels that could be exploited for prompt injection beyond the Internet,\u201d they wrote.<\/p>\n<h3>A Mix of Kill Chains<\/h3>\n<p>HalluSquatting changes the equation, allowing attackers to exploit AI model applications without direct channels. It combines what the researcher called the \u201cpromptware kill chain\u201d and \u201ctraditional malware kill chain.\u201d It starts with pulling adversarial prompts into an LLM application and ends by instructing the application to install a bot using remote code execution (RCE).<\/p>\n<p>The beginning involves injecting an adversarial prompt that hijacks an LLM application and exploits the LLM to perform malicious acts by using the terminal and installing a bot. That\u2019s in line with a promptware kill chain. That said, once the LLM application installs the bot on a device, the bot won\u2019t exploit an AI model to perform malicious activities, which is where the more familiar malware kill chain starts, they wrote.<\/p>\n<h3>Manipulating AI Models<\/h3>\n<p>It also plays off of <a href=\"https:\/\/securityboulevard.com\/2026\/06\/typosquatting-is-no-longer-a-user-problem-its-a-supply-chain-problem\/\" target=\"_blank\" rel=\"noopener\">typosquatting<\/a>, where threat actors register domain names that are close to legitimate domain names, but not exact, and wait for victims to click on the wrong domain. HalluSquatting essentially migrates the target from humans to AI agents, which may not confirm whether the source is real while carrying out commands.<\/p>\n<p>It\u2019s also another in a growing number of techniques that could be used by attackers to compromise and manipulate AI models. <a href=\"https:\/\/devops.com\/mozilla-shows-the-danger-of-indirect-prompt-injections-in-ai-coding-agents\/\" target=\"_blank\" rel=\"noopener\">Indirect prompt injections<\/a> are used to <a href=\"https:\/\/devops.com\/gitlost-flaw-lets-attackers-trick-github-ai-agent-into-leaking-private-repos\/\" target=\"_blank\" rel=\"noopener\">embed malicious instructions<\/a> inside external content, such as websites, emails, and documents, that an agent may read as legitimate instructions to be executed.<\/p>\n<p><a href=\"https:\/\/devops.com\/hallusquatting-compromises-ai-coding-agents-to-install-malware-create-botnets\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>Hallucinations have been an ongoing problem since OpenAI first introduced its ChatGPT chatbot in November 2022, highlighting generative AI\u2019s tendency [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4570,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4569","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4569"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4569\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4570"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}