TheVortiq
Inteligencia Artificial

HalluSquatting: The New Cyberattack Exploiting AI Hallucinations

Researchers demonstrate how to trick AI agents into executing malicious code with up to 85% success, leveraging their tendency to invent repository URLs.

July 12, 2026 · 3 min read

robot and human hands reaching toward ai text

TL;DR: HalluSquatting is an attack that tricks AI agents into hallucinating malicious repository URLs, achieving harmful code execution in up to 85% of cases. It affects all current models, including Claude Opus 4.5.

What is HalluSquatting?

HalluSquatting (or 'adversarial hallucination squatting') is an attack technique that exploits the tendency of large language models (LLMs) to 'hallucinate' code repository names when asked to perform a task involving a recent library or tool. Instead of admitting they don't know the repository, models generate plausible names based on common patterns like owner/repository or toolname/toolname. An attacker can create malicious repositories with those names, and when an AI agent tries to use them, it ends up executing malicious code.

How does the attack work?

The mechanism is surprisingly simple. First, the attacker identifies a repository, library, or bot skill that has recently gained popularity but is not yet in the model's training data. Then, they generate variations of the repository name following predictable patterns (e.g., SuperHacker/WindowsTelemetryOff). Finally, they create a malicious repository with one of those names. When an AI agent receives an instruction like 'run the windowstelemetryoff script,' it is likely to hallucinate the correct URL and end up using the malicious repository.

Scope of the problem

The research, conducted by teams from Tel Aviv University, Technion, and Intuit, shows that LLMs hallucinate the location of a recent code repository up to 85% of the time, reaching 100% for popular agent skills. All models are affected, including Anthropic's Claude Opus 4.5. In commercial applications like Cursor, Gemini CLI, and Copilot, the attack success rate ranges from 20% to 35%, while in OpenClaw and its variants it reaches 80-100%. The attack is universal and transferable across different bots.

Potential consequences

Once the malicious code executes, the attacker can gain remote access to the victim's system (reverse shell), steal data and passwords, install malware, mine cryptocurrencies, or even hijack the AI agent to launch further attacks. Since a single malicious repository can attract tens of thousands of bots, the potential for damage is massive.

What should readers know?

This attack exploits a fundamental weakness of LLMs: their non-deterministic nature and tendency to generate incorrect responses with high confidence. Although commercial applications have some shielding due to additional context, the vulnerability remains significant. Developers and users of AI agents must be aware that URLs generated by models cannot be blindly trusted, and should implement additional verification measures, such as repository whitelists or manual URL validation before executing code.

HalluSquatting represents a new class of threat that merges traditional cybersecurity with the quirks of generative AI. As the researchers noted, 'it is a fundamental weakness in all available models.'

Historical context and comparisons

This attack is reminiscent of typosquatting, where attackers register domains with typographical errors of popular sites. However, HalluSquatting is more dangerous because it does not require the user to make a mistake: the model itself generates the incorrect URL. Unlike data poisoning attacks, there is no need to contaminate training data; it suffices to exploit the tendency to hallucinate.

What can be done?

For now, there is no magic patch. Researchers suggest that AI agent developers implement URL verification mechanisms, such as querying legitimate repository APIs before executing code. They also recommend limiting agent permissions and auditing the URLs they generate. In the long term, it will be necessary to rethink agent architecture to make them more aware of their own uncertainty.

Keep reading