Researchers from Tel Aviv University, Technion, and Intuit published a new attack framework called HalluSquatting that exploits AI agent hallucinations to achieve remote code execution across nine popular agentic platforms. The technique achieved hallucination rates up to 85% in repository cloning and 100% in skill installation scenarios, according to the research paper and project page published this week.

How HalluSquatting Works

The attack exploits a structural weakness in how AI agents resolve resource identifiers. When a user asks an agent to clone a repository, install a skill, or access an external resource, the underlying LLM frequently hallucinates the resource name, returning an incorrect but predictable identifier. The researchers found these hallucinations are not random: they follow statistical distributions that attackers can compute in advance.

The attack chain works in three stages, as reported by TechRadar. First, the attacker identifies popular resources (trending repositories, widely-used skills) and probes LLMs to map the distribution of hallucinated names those resources produce. Second, the attacker registers the most likely hallucinated resource names and embeds adversarial prompts within them. Third, when any user triggers the agent with a request involving the original resource, the agent hallucinates the resource name, pulls the attacker-controlled version, and executes the embedded instructions.

The researchers describe this as a “push-me-pull-you” combination: unlike traditional pull-based prompt injection (poisoning a webpage and hoping a user visits it) or push-based injection (sending a malicious email), HalluSquatting requires no direct channel to the victim at all. The agent’s own reasoning failure creates the attack surface.

Nine Platforms Tested

The research team, led by Aya Spira (Tel Aviv University), Stav Cohen (Technion), Elad Feldman (Tel Aviv University), Ron Bitton (Intuit), Avishai Wool (Tel Aviv University), and Ben Nassi (Tel Aviv University), tested HalluSquatting against nine LLM-based applications with integrated terminal access:

  • AI coding assistants: Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline
  • CLI tools: Gemini CLI
  • AI assistants: OpenClaw, ZeroClaw, NanoClaw

Across these platforms, the researchers achieved both remote tool execution (remotely controlling the LLM’s tool-use capabilities) and remote code execution (running arbitrary code on the victim’s machine). The paper demonstrates that hallucinations transfer between foundational models and across different prompts, meaning a single squatted resource can compromise users across multiple platforms simultaneously.

Scaling to Botnets

The critical escalation is scale. Because popular and trending resources generate the highest hallucination rates (they are often too new to be in the LLM’s training data), a single attacker-registered resource can compromise thousands of machines as developers independently trigger the same hallucinated reference. Each compromised machine can be conscripted into a botnet without the attacker ever interacting with the victim directly.

TechRadar noted that this attack pattern compounds an existing trend: the JADEPUFFER attack, previously reported by TechRadar, demonstrated a full ransomware operation run entirely by an LLM.

Mitigation and Responsible Disclosure

The researchers proposed several mitigation strategies: LLM developers could block direct fetch operations in favor of search tools that return verified results, and resource owners could enforce strict naming conventions using globally unique identifiers. The research team responsibly disclosed their findings to all affected application vendors, foundation model providers, and marketplace maintainers before publication, and redacted implementation details that could enable direct replication.

The Architectural Problem

HalluSquatting is distinct from prompt injection because it does not require the attacker to manipulate any input the user or agent sees. The vulnerability lives in the inference layer itself. Any agent with internet access and terminal capabilities that resolves resource names through LLM reasoning is potentially exposed. Input sanitization, the standard defense against prompt injection, does not address this attack vector because the malicious content enters through the agent’s own hallucinated output, not through an external input channel.

For teams deploying agents with tool-use capabilities, the immediate question is whether resource resolution passes through a verified registry or relies on the LLM to reconstruct identifiers from memory. If it is the latter, HalluSquatting applies.