
short
- Researchers introduced “Adversarial HalluSquatting,” an attack that exploits AI-generated hallucinations.
- This technique tricks AI agents into trusting fake repositories or tools that contain malicious instructions.
- Tests on popular AI coding assistants have shown that this method can lead to remote code execution in controlled experiments.
AI hallucinations may be more than just incorrect answers, they may become a way for hackers to break into computers, according to new research from Tel Aviv University, the Technion, and Intuit.
in paper“Beware of Agent Botnets: Untargeted and Scalable Real-Time Bottom-Attacks via Globally Transformable Adversarial HalluSquatting,” researchers demonstrated a technique that exploits artificial intelligence models when they generate fake links to software repositories and other online resources.
“The increasing adoption of LLM proxy applications has created a new threat previously known as spotware,” the researchers wrote. “While previous work has demonstrated that adversaries can exploit the direct channels of LLM applications for rapid software implementation under weak threat models, many applications do not provide any direct channels that can be exploited for immediate offline injection.”
The attack, known as “HalluSquatting,” involves predicting which fake resources the AI models are likely to create, recording those names, and adding malicious instructions. If an AI agent later retrieves the hallucinogenic resource, it may treat the attacker-controlled content as legitimate.
The threat emerges when AI assistants go beyond answering questions and gain the ability to interact with computers, access files, search the web, write code, and run commands, researchers said.
These capabilities can create security vulnerabilities when customers act on the information they retrieve without confirming whether the source is real.
“Ongoing studies have demonstrated various types of Promptware attacks against real-world systems, including ChatGPT, Google Assistant, Copilot, and many additional applications,” they wrote. “These works demonstrated that real-time software can lead to financial, privacy, and safety impacts.”
The researchers warned that this technology could allow attackers to build botnets that support artificial intelligence. A Robots Refers to a network of infected computers or devices controlled remotely by an attacker. Botnets are commonly used in cyber attacks, including denial of service attacks, Cryptocurrency mining, Distribution of malwareand Ransomware Campaigns.
During testing, researchers found that AI-generated resource hallucinations occurred at rates of up to 85% in warehouse cloning scenarios, and 100% in skill installation tests.
The team evaluated the technology against AI crypto assistants and agents, including… Indicator, Github copilot, twin Klee, and OpenClaw.
HalluSquatting is similar to Typographic squata cyberattack tactic where attackers register domain names that resemble legitimate websites or software packages to trick users. Instead of exploiting human typing errors, HalluSquatting targets errors made by AI models.
This news comes as researchers continue to test how attackers deal with artificial intelligence agents.
In April, researchers from Google detailed Malicious websites designed to hijack AI agents through indirect injection attacks, including attempts to steal passwords, delete files, and tamper with payments. A separate study onCuban pasta“The attack demonstrated how claims hidden within developer files can manipulate AI coding assistants to deploy malicious code.
In June, an OpenClaw user reported encountering more than 6000 Attempts by attackers trying to trick an AI agent into leaking sensitive information.
Daily debriefing Newsletter
Start each day with the latest news, plus original features, podcasts, videos and more.




