AI Hallucinations Could Turn AI Agents Into Botnets, Researchers Warn
Researchers from Tel Aviv University, Technion, and Intuit have uncovered “HalluSquatting,” a technique where AI-generated hallucinations trick agents into trusting malicious repositories, potentially enabling botnets. Tests on Cursor, GitHub Copilot, and others showed up to 100% hallucination rates in skill installation.
Quick Take
HalluSquatting exploits AI hallucinated resource names by registering them with malware.
Tests show 85% hallucination rate in repo cloning, 100% in skill installs.
Threat expands as AI agents gain more autonomy and internet access.
Attack could lead to botnets used for crypto mining, ransomware, and more.
Market Impact Analysis
NeutralThe article discusses an AI security threat with no direct crypto market implications.
Speculation Analysis
Key Takeaways
- HalluSquatting exploits AI-generated hallucinated resource names by registering them with malicious code, tricking agents into executing it.
- Tests on top AI coding assistants showed hallucination rates of 85% in repo cloning and 100% in skill installation scenarios.
- The attack vector expands as AI agents gain more autonomy and internet access, potentially enabling large-scale botnets for crypto mining or ransomware.
- No immediate market impact, but security researchers warn the threat will grow with agentic AI adoption.
What Happened
Security researchers have uncovered a new attack technique that turns AI hallucinations into a delivery mechanism for malware. Dubbed “Adversarial HalluSquatting,” the method exploits the tendency of AI models to generate fake names for software packages, repositories, or tools. Attackers register these hallucinated resources and seed them with malicious instructions. When an AI agent later fetches the resource, it may execute the code, believing it to be legitimate. The research team from Tel Aviv University, Technion, and Intuit demonstrated the attack against popular AI coding assistants, including Cursor and GitHub Copilot, warning that it could be scaled to create botnets of compromised machines.
The Numbers
In controlled experiments, hallucination rates reached 85% when AI agents were prompted to clone repositories. In skill installation tests, the rate hit 100%, meaning every generated request included a non-existent resource. The tests spanned four major AI coding tools: Cursor, GitHub Copilot, Gemini CLI, and OpenClaw. While no actual breaches have been reported, the figures underscore a systemic vulnerability: as AI models become more agentic and gain access to the internet, the attack surface widens. The researchers noted that prior promptware attacks already demonstrated financial and privacy impacts, but HalluSquatting introduces an untargeted, scalable vector.
Why It Happened
AI hallucinations are inherent to current large language models, which often generate plausible but false information. When models are used to suggest or install packages, they may invent names that mimic real ones. Attackers can squat on these fake names—similar to typosquatting in domain hijacking—and host malicious payloads. Since AI agents are designed to execute tasks autonomously, they may not verify the authenticity of a resource before downloading and running it. The shift toward agentic systems that can interact with file systems, web APIs, and command lines amplifies the risk, turning a nuisance into a potential infrastructure threat.
Broader Impact
While the immediate financial impact is nil, the research signals a looming threat for the crypto sector. Botnets orchestrated through HalluSquatting could be repurposed for unauthorized crypto mining, ransomware, or wallet theft. As AI agents integrate deeper into development pipelines and financial tools, the line between hallucination and exploitation blurs. This could accelerate calls for AI safety standards and verified package registries, but in the interim, it highlights a new frontier in supply chain attacks.
What to Watch Next
- Whether threat actors weaponize HalluSquatting in the wild, especially targeting popular open-source registries.
- How AI developers respond—will they implement hallucination filters or sandbox agent actions?
- Potential regulatory attention on AI agent security, particularly as the EU AI Act and other frameworks evolve.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.