HalluSquatting: Attackers Exploit AI Coding Tool Hallucinations to Spread Malware
Researchers revealed in July 2026 that nine major AI coding tools, including Cursor, GitHub Copilot, and Gemini CLI, share a vulnerability called HalluSquatting that allows attackers to compromise developer environments without directly targeting victims. The technique exploits a known tendency of large language models to hallucinate plausible-sounding but nonexistent package or repository names when asked to find or install software. Attackers pre-register these predicted hallucinated names on GitHub or package registries, seeding them with malicious payloads such as reverse shells, then wait for AI agents to autonomously pull and execute them. Because the malicious packages are newly created, they carry no CVE history or reputation signals, rendering standard dependency scanners and prompt injection filters ineffective. A single registered malicious package can silently infect an unlimited number of unrelated developers who trigger the same hallucination, making the attack highly scalable with minimal attacker effort.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in