9 Popular AI Tools Vulnerable to HalluSquatting Botnet Attacks
Original: Hackers can use 9 of the most popular AI tools to assemble massive botnets
Why This Matters
HalluSquatting marks the first prompt-injection class capable of mass, indiscriminate device infection at internet scale.
Researchers revealed a new pull-based prompt injection attack called 'HalluSquatting' that exploits LLM hallucinations to register malicious packages, enabling mass botnet assembly and DDoS attacks across 9 major AI coding tools including Cursor, Gemini CLI, and GitHub Copilot.
Security researchers have disclosed a novel attack method named 'HalluSquatting' (short for adversarial hallucination squatting), published in a paper on July 8, 2026. The attack targets AI coding assistants and agents — specifically Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw — all confirmed susceptible.
Unlike traditional 'push'-based prompt injections that require targeting individual victims, HalluSquatting is pull-based: it exploits the inherent tendency of LLMs to hallucinate package or resource identifiers when fetching code from repositories and registries. Attackers predict which identifiers LLMs are likely to fabricate, register those names in real repositories, and seed them with malicious payloads such as reverse shells. When an AI coding agent autonomously fetches these resources during normal workflows, it executes the malicious code.
'The scalable property of the attack enables the attacker to compromise a large number of users with minimal effort by targeting popular resources,' the researchers wrote. Because coding agents typically operate with high-privilege command-line access, a single squatted package can infect large numbers of independent systems without any direct targeting of individual users — a first for prompt-injection-based attacks.