Published on July 8, 2026
HalluSquatting Attack Abuses AI Coding Assistants to Retrieve Malicious Repositories
Severity
Medium
Researchers have identified a new attack technique known as HalluSquatting, which exploits AI coding assistants by exploiting their tendency to generate incorrect repository or package names. By taking advantage of this behavior, attackers can trick AI assistants into retrieving malicious software instead of legitimate resources.
AI coding assistants occasionally generate repository or package names that do not actually exist, particularly when attempting to retrieve newly released or less familiar projects. Attackers exploit this behavior by registering these AI-generated names on public repositories or plugin marketplaces. When an AI assistant later recommends or retrieves the hallucinated name, it may unknowingly download the attacker’s malicious version instead of the legitimate software.
How?
The attack, known as HalluSquatting, combines AI hallucination with indirect prompt injection. Instead of targeting users directly, attackers embed malicious instructions within the fake repository or plugin. When the AI assistant retrieves the resource, the embedded instructions may influence its actions and cause it to perform attacker-controlled operations.
To increase the likelihood of success, attackers identify trending repositories or plugins that are not yet well represented in an AI model’s training data. They repeatedly query AI coding assistants to determine which incorrect names are consistently generated, then register those names before legitimate developers do. When users later ask their AI assistant to retrieve the intended resource, the assistant may instead fetch the attacker’s repository.
If the AI assistant is configured to automatically retrieve external resources and execute commands with limited user approval, the malicious instructions can cause it to download and execute malware on the host system. Researchers noted that, if exploited at scale, the technique could compromise multiple systems and potentially allow attackers to build a botnet.
Researchers successfully demonstrated the attack against several AI coding assistants, including Cursor, Windsurf, GitHub Copilot, Cline, Gemini CLI, and OpenClaw. Although the proof-of-concept deployed harmless payloads, the same technique could be used to install malware or other malicious software in real-world attacks.
Unlike traditional software supply chain attacks, HalluSquatting does not rely on exploiting software vulnerabilities. Instead, it abuses predictable AI behavior to redirect AI assistants toward attacker-controlled repositories. Researchers found that some hallucinated repository names were consistently generated across different AI models, increasing the likelihood that multiple users could be directed to the same malicious repository.
The researchers also noted similarities to previous attacks such as slopsquatting and phantom squatting, where attackers register AI-hallucinated package names or domains. HalluSquatting extends this concept by targeting AI agents that can automatically retrieve and execute external content, increasing the potential impact of successful attacks.
Recommendations
Organizations and users utilizing AI coding assistants are advised to take the following precautions to reduce the risk of AI-assisted supply chain attacks:
- Avoid enabling unattended or automatic command execution when AI assistants retrieve external repositories, packages, or plugins.
- Verify that repository, package, and plugin names correspond to legitimate and trusted sources before allowing AI assistants to download or install them.
- Treat AI-generated repository or package names as suggestions and validate them before use.
- Enable available security features that require user approval or inspect external content before AI assistants execute commands or install software.
Source
https://thehackernews.com/2026/07/new-hallusquatting-attack-could-trick.html
