Researchers have uncovered a fresh AI security problem called HalluSquatting, and it is the kind of flaw that turns a simple mistake into a dangerous shortcut for attackers. The issue starts when an AI assistant invents a software name or repository, then confidently grabs the wrong files and may even run commands on your machine. That mix of speed, trust, and bad judgment can open the door to malware, stolen data, and a lot more trouble than a plain old bad link.
At its core, HalluSquatting targets AI tools that browse online resources, fetch software, and operate with some level of computer access. Instead of just giving you a wrong answer, the AI can create a fake project name that never existed, then land on a malicious copy an attacker planted ahead of time. If that assistant also has permission to execute commands, the mistake stops being annoying and starts becoming a security problem.
The researchers behind the work, from Tel Aviv University, Technion, and Intuit, tested the idea against well-known AI coding tools and personal assistants. They showed that hallucinated names can repeat across different prompts, which gives an attacker something to work with. Once a fake name becomes predictable, it can be registered by a bad actor and turned into a trap that looks close enough to fool an automated system.
The attack flow is unsettlingly simple. An attacker watches how AI models respond when asked about a popular or newly emerging project, then claims one of the made-up names before anyone else does. That squatted resource can carry poisoned setup files, hidden instructions, or documentation that nudges the assistant into doing the wrong thing.
That is where the risk gets bigger than a bad download. If an AI assistant reads those instructions as part of its task, it may follow them without realizing they were planted by an attacker. If the assistant has terminal access, it could also execute commands that pull in more malware, inspect local files, or help install a deeper compromise.
The danger rises fast when the assistant is not just a chatbot, but an autonomous agent. A basic chatbot might hand you a useless result and leave it at that, but an agent can browse, fetch, install, and run tools on your behalf. That extra reach is useful, but it also means malicious instructions can travel farther and do more damage once they slip past the first layer of trust.
In the tests, the researchers looked at tools such as Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline, and Gemini CLI. They reported hallucination rates as high as 85% in repository-cloning scenarios, with some skill-installation tests reaching 100%. They also demonstrated remote tool execution and remote code execution in controlled environments, which is a sharp reminder that this is not just theoretical hand-wringing.
Another key point is that AI systems do not always verify a resource before grabbing it. Sometimes they rely on training data instead of live web checks, which makes it easier for an invented name to slip through. Security experts say AI agents should confirm the real project, owner, and source before any download happens, because a convincing answer is not the same thing as a trustworthy one.
There is also the botnet angle, and that is where the whole thing gets darker. A botnet is just a group of compromised devices controlled by an attacker, and HalluSquatting could give criminals one more way to build one. If an AI assistant unknowingly pulls a malicious package onto many different machines, those devices could end up connected by the same hidden payload, even if they sit on separate networks.
AI companies have a few obvious ways to tighten the screws. They can require live searches before downloads, force human approval before running outside code, and add stronger warnings when a source has little history or an unverified owner. On the user side, the safest move is still to stay skeptical, limit permissions, keep command approval turned on, and verify every source before letting an AI tool touch your system.
That means checking the official developer site, using sandboxed or virtual machine environments for unfamiliar code, and locking down access to passwords, API keys, and private files. Strong antivirus software, up-to-date tools, and careful review of terminal commands all help too. The big lesson here is blunt: the less freedom an AI agent has, the less damage a hallucination can do when it goes off the rails.
