All incidents

HalluSquatting attack uses AI hallucinations to create botnets

outageopenJul 8, 2026 — Jul 10, 2026
HalluSquatting attack uses AI hallucinations to create botnets

RESEARCHERS have revealed a new technique called HalluSquatting that turns AI assistants’ tendency to hallucinate into a way to build hidden botnets according to SecurityWeek. The approach leverages untargeted promptware to make models generate false repository names that appear legitimate.

The attack works by feeding untargeted promptware to large language models so they produce false repository names that the models then treat as real. In tests, hallucination rates reached 85 per cent for repository cloning and 100 per cent for skill installation as reported by Ars Technica.

Because the fabricated names are not present in the training data, the models frequently hallucinate them, allowing attackers to register those domains and inject malicious code. When a user asks the AI to fetch or install a package, the assistant may retrieve the attacker‑controlled resource and execute the hidden payload. This creates a stealthy infection chain that avoids traditional signature‑based defenses.

So far there is no evidence of HalluSquatting being used in the wild, and no threat actor has been linked to the technique. The research team warns that the low barrier to entry could lead to rapid adoption by criminal groups seeking to spread ransomware or launch distributed denial of service campaigns.

Organisations should review the outputs of any AI coding assistant before allowing it to install code or clone repositories. Implementing strict allowlists for approved package names can block attempts to resolve hallucinated identifiers. Additionally, sandboxing the execution environment limits the impact of any malicious payload that might be retrieved.

Users are encouraged to verify the source of any suggested dependency and to disable automatic installation features where possible. Keeping AI tools up to date with the latest security patches reduces the chance of exploitation through other vectors.

Intelligence briefing updated Jul 10, 2026

Root sourcesites.google.com
Timeline Coverage

Swipe to explore timeline