Particle.news
Download on the App Store

HalluSquatting Lets Attackers Pre-Register AI Hallucinations to Seed Malicious Packages

Researchers showed that predictable model errors can make coding assistants fetch and run attacker-controlled repositories, creating a direct route to remote code execution.

Overview

  • The research paper released on Thursday named the technique Adversarial HalluSquatting and described how attackers can predict the fake package or repo names AI assistants invent.
  • The attack works by registering those predicted names on registries or marketplaces and seeding them with adversarial instructions that a fetching agent will execute.
  • In controlled tests the team measured hallucination rates as high as 85% for repository-clone prompts and 100% for skill installs and found the same hallucinated names recur across different models and agents.
  • Practical mitigations include forcing agents to search or verify a package before fetching, disabling unattended auto-run modes, adding pre-fetch trust checks in marketplaces, and using runtime package-existence scanners like SlopScan.
  • Researchers responsibly disclosed findings to vendors and redacted exploit steps, and while no broad real-world exploitation has been confirmed, the flaw could enable scalable botnet assembly if agents keep auto-fetching and auto-running unverified resources.