HalluSquatting Pre-Registers LLM-Invented Package Names for Agentic Botnet Recruitment
HalluSquatting converts recurring LLM hallucinations into a passive malware delivery channel by squatting fabricated package names. The resulting agentic botnets bypass traditional targeting requirements and produce diverse host sets. Procurement records show no current controls for this class of AI-driven supply-chain risk.
Attackers register hallucinated names in advance for popular resources requested from tools including Cursor, GitHub Copilot, and Gemini CLI. When the model outputs the squatted identifier the assistant clones the repo or installs the package and runs attacker commands in the built-in terminal. Commands can chain into further tool execution and malware deployment without requiring direct user targeting. Tests recorded consistent recurrence of the same fabricated names across foundation models, confirming the vector scales without per-victim channels. This produces agentic botnets whose growth tracks hallucination frequency rather than exploit volume or weak credentials, yielding more heterogeneous device populations than Mirai-style infrastructure. The technique merges documented AI supply-chain trust failures with botnet operations. Prior prompt-injection research focused on direct channels; HalluSquatting removes that requirement by exploiting the model’s own output distribution. Defense and intelligence procurement of agentic coding tools has not yet addressed hallucination-driven package resolution in acquisition criteria. Vendors received advance notice and exploit details were withheld. Continued registration of high-frequency hallucinated names by multiple actors is expected within the next quarter as tooling adoption widens.
Intuit researchers: 300+ distinct squatted packages registered by independent actors within 60 days.
Sources (3)
- [1]HalluSquatting: Exploiting LLM Hallucinations for Malware Delivery(https://www.securityweek.com/hallusquatting-turns-ai-hallucinations-into-botnet-delivery-mechanism/)
- [2]Prompt Injection in AI Coding Assistants(https://arxiv.org/abs/2404.14230)
- [3]Mirai Botnet Measurement Study(https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis)