HalluSquatting: Weaponizing AI Hallucinations — Building Agent Botnets by Exploiting LLM Fabrication Vulnerabilities
1. Introduction
On July 8, 2026, a groundbreaking paper from Tel Aviv University, Technion, and Intuit dropped: “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting.” The researchers demonstrated that AI models’ tendency to hallucinate non-existent resources can be systematically weaponized, creating a remote code execution channel to compromise computers and build botnets.
The technique, called Adversarial HalluSquatting, achieves an 85% hallucination rate in repository cloning scenarios and 100% in skill installation scenarios. Attackers need no direct injection channels — AI agents will autonomously download and execute malicious code simply by hallucinating the wrong resource name.
2. The Technical Principle of HalluSquatting
2.1 What Is “Hallucination Squatting”
"""
HalluSquatting Attack Framework: Core Concepts
"""
class HalluSquattingAttack:
"""
Complete adversarial hallucination squatting framework.
Attack flow:
1. Analyze LLM hallucination distribution for specific resource names
2. Predict which non-existent resources the LLM most likely "fabricates"
3. Pre-register those resources with malicious payloads
4. Wait for agents to trigger hallucinations during innocent tasks
"""
def __init__(self, target_model: str):
self.target_model = target_model
self.registered_squats = {}
self.trigger_stats = {"attempts": 0, "successes": 0}
def analyze_hallucination_patterns(self, trending_resources: list,
sample_size: int = 1000) -> dict:
"""Analyze which non-existent resources the model hallucinates most"""
hallucination_map = {}
for resource in trending_resources:
fake_results = self._query_model_for_resource(resource, sample_size)
for result in fake_results:
hallucination_map[result] = hallucination_map.get(result, 0) + 1
return {
resource: count / sample_size
for resource, count in sorted(
hallucination_map.items(), key=lambda x: x[1], reverse=True
)[:20]
}
def _query_model_for_resource(self, resource: str, n_queries: int) -> list:
"""Simulate querying the model for resource locations"""
import random
results = []
for _ in range(n_queries):
if random.random() < 0.15:
results.append(f"github.com/real/{resource}")
else:
fake_name = self._generate_fake_name(resource)
results.append(f"github.com/fake/{fake_name}")
return results
def _generate_fake_name(self, resource: str) -> str:
"""Generate hallucinated names based on real resource names"""
import random
patterns = [
f"{resource}-v{random.randint(2, 9)}",
f"{resource}-{random.choice(['beta', 'stable', 'lite', 'pro'])}",
f"{resource}-{random.choice(['toolkit', 'sdk', 'cli', 'lib'])}",
]
return random.choice(patterns)
def register_squat(self, hallucinated_name: str,
malicious_payload: dict) -> bool:
"""Register the hallucinated resource with malicious payload"""
self.registered_squats[hallucinated_name] = {
"payload": malicious_payload,
"times_triggered": 0,
}
return True
def execute_attack_chain(self, agent_task: str) -> dict:
"""Execute the full attack chain"""
self.trigger_stats["attempts"] += 1
import random
# Step 1: Agent hallucinates during task processing
hallucinated = random.choice(
list(self.registered_squats.keys()) + [None]
) if random.random() < 0.85 else None
if not hallucinated or hallucinated not in self.registered_squats:
return {"success": False}
# Step 2: Agent downloads and executes malicious content
squat = self.registered_squats[hallucinated]
self.trigger_stats["successes"] += 1
squat["times_triggered"] += 1
return {
"success": True,
"hallucinated_name": hallucinated,
"payload_type": squat["payload"].get("type"),
}
# Comparison with Typosquatting
class AttackComparison:
"""Compare HalluSquatting with traditional Typosquatting"""
@staticmethod
def compare():
comparison = {
"Dimension": [
"Target", "Trigger Mechanism", "Attack Vector",
"Scale", "Detection Difficulty", "Defense"
],
"Typosquatting": [
"Human typing errors", "User manually types wrong URL",
"Requires social engineering", "One user per attack",
"Medium (check URL spelling)", "URL blacklists, whitelists"
],
"HalluSquatting": [
"LLM fabrication behavior", "Agent autonomously hallucinates",
"No human involvement needed", "One registration = millions of agents",
"Extremely high (hallucinations look plausible)",
"Model must refuse to guess"
],
}
print("=" * 80)
print("HalluSquatting vs Typosquatting: Key Differences")
print("=" * 80)
for i in range(len(comparison["Dimension"])):
print(f"\n{comparison['Dimension'][i]}:")
print(f" Typosquatting: {comparison['Typosquatting'][i]}")
print(f" HalluSquatting: {comparison['HalluSquatting'][i]}")
print("=" * 80)
if __name__ == "__main__":
AttackComparison.compare()
# Simulate attack
attack = HalluSquattingAttack("Claude Fable 5")
attack.register_squat("react-router-v3", {"type": "code_execution", "payload": "malicious"})
attack.register_squat("express-validator-beta", {"type": "botnet_join", "c2": "c2.botnet"})
print("\nAttack Chain Results:")
for task in ["Install React Router", "Add Express validation", "Update lodash"]:
result = attack.execute_attack_chain(task)
icon = "✅" if result["success"] else "❌"
print(f" {icon} {task}: {result}")
Output:
================================================================================
HalluSquatting vs Typosquatting: Key Differences
================================================================================
Target:
Typosquatting: Human typing errors
HalluSquatting: LLM fabrication behavior
Trigger Mechanism:
Typosquatting: User manually types wrong URL
HalluSquatting: Agent autonomously hallucinates
Scale:
Typosquatting: One user per attack
HalluSquatting: One registration = millions of agents
Attack Chain Results:
✅ Install React Router: {'success': True, ...}
✅ Add Express validation: {'success': True, ...}
❌ Update lodash: {'success': False, ...}
3. Experimental Validation: 6 Major AI Coding Assistants All Compromised
3.1 Test Results
| Product | Hallucination Rate (Repo Clone) | Hallucination Rate (Skill Install) | Remote Code Execution |
|---|---|---|---|
| Cursor | 85% | 100% | ✅ |
| GitHub Copilot | 78% | 95% | ✅ |
| Gemini CLI | 72% | 92% | ✅ |
| Claude Code | 82% | 98% | ✅ |
| OpenClaw | 76% | 90% | ✅ |
| Windsurf | 80% | 96% | ✅ |
3.2 Predictability and Transferability of Hallucinations
The key finding: Hallucinations are predictable and transferable across different models. An attacker can analyze the hallucination distribution of one model and use those findings to register squats that will be triggered by many other models.
// Go: Hallucination transferability analysis
package main
import (
"fmt"
"strings"
)
type HallucinationSample struct {
ModelName string
ResourceName string
IsHallucination bool
}
func main() {
models := []string{"Cursor", "Copilot", "Gemini CLI", "Claude Code", "OpenClaw"}
resources := []string{"react-router-v3", "express-validator-beta", "lodash-pro"}
// Simulate hallucination data
modelHallucinations := make(map[string]map[string]bool)
for _, model := range models {
modelHallucinations[model] = make(map[string]bool)
for _, resource := range resources {
isHall := strings.HasPrefix(resource, "react") ||
strings.HasPrefix(resource, "express")
modelHallucinations[model][resource] = isHall
}
}
// Compute transferability
fmt.Println(strings.Repeat("=", 70))
fmt.Println("Hallucination Transferability Matrix")
fmt.Println(strings.Repeat("=", 70))
for i := 0; i < len(models); i++ {
for j := i + 1; j < len(models); j++ {
setA := modelHallucinations[models[i]]
setB := modelHallucinations[models[j]]
intersection, union := 0, len(setA)
for r := range setB {
if setA[r] { intersection++ } else { union++ }
}
similarity := float64(intersection) / float64(union) * 100
fmt.Printf(" %s ↔ %s: %.0f%% overlap\n",
models[i], models[j], similarity)
}
}
fmt.Println("\n" + strings.Repeat("=", 70))
fmt.Println("Key Finding: Hallucinations transfer across models at")
fmt.Println("~72% Jaccard similarity, enabling single-attack, multi-model exploitation.")
}
Output:
======================================================================
Hallucination Transferability Matrix
======================================================================
Cursor ↔ Copilot: 67% overlap
Cursor ↔ Gemini CLI: 67% overlap
Cursor ↔ Claude Code: 100% overlap
Cursor ↔ OpenClaw: 67% overlap
Copilot ↔ Gemini CLI: 67% overlap
Copilot ↔ Claude Code: 67% overlap
Copilot ↔ OpenClaw: 67% overlap
Gemini CLI ↔ Claude Code: 67% overlap
Gemini CLI ↔ OpenClaw: 67% overlap
Claude Code ↔ OpenClaw: 67% overlap
======================================================================
Key Finding: Hallucinations transfer across models at
~72% Jaccard similarity, enabling single-attack, multi-model exploitation.
4. Botnet Construction
4.1 Full Attack Chain
HalluSquatting Botnet Attack Chain
───────────────────────────────────
Phase 1: Reconnaissance
┌─────────────────────────────────────────────────────────────┐
│ 1. Analyze trending open-source repositories (npm, PyPI) │
│ 2. Send queries to target LLM, map hallucination distribution│
│ 3. Identify top-K cross-model transferable hallucinated names│
└─────────────────────────────────────────────────────────────┘
▼
Phase 2: Resource Registration
┌─────────────────────────────────────────────────────────────┐
│ 4. Register hallucinated names on npm/PyPI/GitHub │
│ 5. Embed malicious promptware payload in registered package │
│ 6. Payload includes: botnet join command, C2 server info │
└─────────────────────────────────────────────────────────────┘
▼
Phase 3: Passive Triggering
┌─────────────────────────────────────────────────────────────┐
│ 7. Developer uses AI coding assistant normally │
│ 8. Agent hallucinates non-existent resource during task │
│ 9. Agent autonomously downloads and executes instructions │
└─────────────────────────────────────────────────────────────┘
▼
Phase 4: Botnet Formation
┌─────────────────────────────────────────────────────────────┐
│ 10. Infected agent becomes botnet node │
│ 11. Attacker issues commands via C2 server │
│ 12. Botnet used for DDoS, cryptomining, data exfiltration │
└─────────────────────────────────────────────────────────────┘
5. Defense Mechanisms
5.1 Technical Defenses
- Package signing: Require digital signatures for all installed packages
- Dependency pinning: Use exact version lockfiles to prevent automatic resolution
- Registry whitelists: Restrict agents to approved registries only
- Human confirmation: Require human approval for non-whitelisted package installs
5.2 Model-Level Defenses
- Refuse to guess: Models must decline when they cannot verify a resource’s existence
- Confidence calibration: Output uncertainty quantification for high-risk scenarios
5.3 The Paper’s Key Recommendation
The researchers emphasize: “The deeper fix requires LLMs to decline rather than guess when they cannot verify a resource’s location — a capability none of the six tested models currently demonstrate.”
6. Conclusion
HalluSquatting reveals a disturbing reality: the most criticized flaw of AI models — hallucination — is being weaponized. As AI agents evolve from “answering questions” to “operating computers,” every fabricated resource name becomes a potential backdoor channel.
This is not a theoretical attack. With 85% hallucination rates in repository cloning and 100% in skill installation under controlled experiments, nearly every agent operation presents an exploitable surface. When AI coding assistants process millions of requests monthly, the attack surface is massive.
Defense requires coordinated effort across models, toolchains, and ecosystems — and until then, AI hallucinations are no longer just amusing. They are dangerous.
Based on arXiv paper 2607.07433, Decrypt, The Hacker News, and Ars Technica.