Overview
- The research paper released on Thursday named the technique Adversarial HalluSquatting and described how attackers can predict the fake package or repo names AI assistants invent.
- The attack works by registering those predicted names on registries or marketplaces and seeding them with adversarial instructions that a fetching agent will execute.
- In controlled tests the team measured hallucination rates as high as 85% for repository-clone prompts and 100% for skill installs and found the same hallucinated names recur across different models and agents.
- Practical mitigations include forcing agents to search or verify a package before fetching, disabling unattended auto-run modes, adding pre-fetch trust checks in marketplaces, and using runtime package-existence scanners like SlopScan.
- Researchers responsibly disclosed findings to vendors and redacted exploit steps, and while no broad real-world exploitation has been confirmed, the flaw could enable scalable botnet assembly if agents keep auto-fetching and auto-running unverified resources.