
HalluSquatting Hits 100% Consistency on Gemini CLI and 85% on Copilot for Malicious Repo Registration
HalluSquatting converts AI coding assistants' consistent hallucinations into registered malicious repositories that the tools themselves fetch and execute. The method requires no traditional malware distribution and scales across vendors via identical fabricated names. Evidence from controlled tests and prior Nassi-group incidents indicates this supply-chain vector will persist without new verification layers.
{"The attack identifies trending resources absent from training data, records the single most common fabricated name an assistant invents, then registers that exact name on GitHub or plugin stores containing indirect prompt injections. Once the assistant pulls the poisoned repo, its terminal tool executes the attacker's commands, installing standard botnet malware with no password or worm component required.","Experiments documented consistent error patterns: the same wrong name appeared in up to 85% of repository requests and 100% of skill installs across models from multiple vendors. Payloads were placeholder commands; production variants would install identical bots on Windows, Linux, and macOS hosts. Prior Nassi group work on AI email worms and Gemini calendar exploits shows the same indirect-injection pattern now applied to supply-chain delivery.","This bypasses conventional botnet defenses because no exploit traffic or credential stuffing occurs; the AI itself becomes the distribution mechanism. Marketplace operators and model vendors received advance notice, yet no public verification step for hallucinated names has been deployed. Procurement records for enterprise AI coding licenses continue to emphasize productivity over hallucination containment.","Next phase will track whether GitHub or plugin registries add pre-registration checks for names matching common AI hallucinations; absence of such controls by early 2027 would confirm the attack surface remains open for scaled botnet assembly."}
GitHub: Within 9 months at least 200 HalluSquatting-style repos will be registered and detected via name-consistency monitoring.
Sources (2)
- [1]Primary Source(https://arxiv.org/abs/2607.12345)
- [2]Supporting Source(https://thehackernews.com/2026/07/new-hallusquatting-attack-could-trick.html)