Technology & InnovationNeutral
40

AI Hallucinations Could Turn AI Agents Into Botnets, Researchers Warn

Researchers from Tel Aviv University, Technion, and Intuit have uncovered “HalluSquatting,” a technique where AI-generated hallucinations trick agents into trusting malicious repositories, potentially enabling botnets. Tests on Cursor, GitHub Copilot, and others showed up to 100% hallucination rates in skill installation.

DecryptJason Nelson

Quick Take

1

HalluSquatting exploits AI hallucinated resource names by registering them with malware.

2

Tests show 85% hallucination rate in repo cloning, 100% in skill installs.

3

Threat expands as AI agents gain more autonomy and internet access.

4

Attack could lead to botnets used for crypto mining, ransomware, and more.

Market Impact Analysis

Neutral

The article discusses an AI security threat with no direct crypto market implications.

Timeframemedium

Speculation Analysis

Factuality85/100
RumorsVerified
Speculation Trigger40/100
MinimalExtreme FOMO

Key Takeaways

  • HalluSquatting exploits AI-generated hallucinated resource names by registering them with malicious code, tricking agents into executing it.
  • Tests on top AI coding assistants showed hallucination rates of 85% in repo cloning and 100% in skill installation scenarios.
  • The attack vector expands as AI agents gain more autonomy and internet access, potentially enabling large-scale botnets for crypto mining or ransomware.
  • No immediate market impact, but security researchers warn the threat will grow with agentic AI adoption.
Repo Cloning Hallucination Rate 85% in tests across AI coding assistants
Skill Install Hallucination Rate 100% in agent skill installation tests
AI Agents Tested 4 major Cursor, GitHub Copilot, Gemini CLI, OpenClaw
Research Team Multi-institution Tel Aviv University, Technion, Intuit

What Happened

Security researchers have uncovered a new attack technique that turns AI hallucinations into a delivery mechanism for malware. Dubbed “Adversarial HalluSquatting,” the method exploits the tendency of AI models to generate fake names for software packages, repositories, or tools. Attackers register these hallucinated resources and seed them with malicious instructions. When an AI agent later fetches the resource, it may execute the code, believing it to be legitimate. The research team from Tel Aviv University, Technion, and Intuit demonstrated the attack against popular AI coding assistants, including Cursor and GitHub Copilot, warning that it could be scaled to create botnets of compromised machines.

The Numbers

In controlled experiments, hallucination rates reached 85% when AI agents were prompted to clone repositories. In skill installation tests, the rate hit 100%, meaning every generated request included a non-existent resource. The tests spanned four major AI coding tools: Cursor, GitHub Copilot, Gemini CLI, and OpenClaw. While no actual breaches have been reported, the figures underscore a systemic vulnerability: as AI models become more agentic and gain access to the internet, the attack surface widens. The researchers noted that prior promptware attacks already demonstrated financial and privacy impacts, but HalluSquatting introduces an untargeted, scalable vector.

Why It Happened

AI hallucinations are inherent to current large language models, which often generate plausible but false information. When models are used to suggest or install packages, they may invent names that mimic real ones. Attackers can squat on these fake names—similar to typosquatting in domain hijacking—and host malicious payloads. Since AI agents are designed to execute tasks autonomously, they may not verify the authenticity of a resource before downloading and running it. The shift toward agentic systems that can interact with file systems, web APIs, and command lines amplifies the risk, turning a nuisance into a potential infrastructure threat.

Broader Impact

While the immediate financial impact is nil, the research signals a looming threat for the crypto sector. Botnets orchestrated through HalluSquatting could be repurposed for unauthorized crypto mining, ransomware, or wallet theft. As AI agents integrate deeper into development pipelines and financial tools, the line between hallucination and exploitation blurs. This could accelerate calls for AI safety standards and verified package registries, but in the interim, it highlights a new frontier in supply chain attacks.

What to Watch Next

  • Whether threat actors weaponize HalluSquatting in the wild, especially targeting popular open-source registries.
  • How AI developers respond—will they implement hallucination filters or sandbox agent actions?
  • Potential regulatory attention on AI agent security, particularly as the EU AI Act and other frameworks evolve.

Source: Decrypt

This article is for informational purposes only and does not constitute financial advice.

SourceRead the full article on Decrypt
Read full article

Always late to trends?

Join for the latest news, insights & more.

Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.

© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.

Read Next

Most Read

⚖️
Regulatory UpdatesBearish
57

New Hampshire Rejects Bitcoin Bond at Final Stage

New Hampshire's executive council voted 3-2 to reject a proposed bitcoin bond project at its final approval stage, effectively ending the trailblazing initiative. The decision dashes hopes for state-level government bitcoin bonds, though the council provided no explanation for the rejection.

BTC
90% confidence
Jul 9, 2026, 10:19 PM UTC · CoinDesk
AI Agent Hallucinations Enable Botnets: 85% Rate Found | Bytewit