Wed 08 Jul 2026 / 10:56 ET
Kernel
Internet 3 min read

Researchers show how hallucinated repo names can hijack AI coding agents

A HalluSquatting study says nine AI coding tools can be lured into pulling attacker-owned resources and running malicious code.

Dana Voss

By Dana Voss / Security Correspondent

Researchers show how hallucinated repo names can hijack AI coding agents
img: Ars Technica

Researchers say a new prompt-injection technique can turn a familiar software supply-chain nuisance into something nastier for developers using AI coding agents: an automated way to lure agents into downloading attacker-controlled repositories and running code from them.

The attack, named HalluSquatting by its authors, targets AI coding assistants and agents that fetch code, scripts or “skills” from online registries as part of normal developer work. The researchers said Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw and NanoClaw were susceptible in their testing.

The work was published Wednesday by Aya Spira, Elad Feldman, Avishai Wool and Ben Nassi of Tel Aviv University, Stav Cohen of Technion and Ron Bitton of Intuit.

How the attack works

Prompt injection usually requires an attacker to place hostile instructions where a model will read them, such as in an email, calendar item or document. That “push” model has a scaling problem because each target has to receive the poisoned content.

HalluSquatting flips the direction. The agent goes looking for a resource, hallucinates the wrong location, and fetches a lookalike resource the attacker registered in advance. The researchers describe this as adversarial hallucination squatting, a cousin of typosquatting where attackers register package or domain names that resemble legitimate ones.

The weak link is resource resolution. When a developer asks an agent to clone or install a new repository or skill, the underlying large language model may invent a plausible owner and path rather than locate the real one. The paper says this happens most often for newer and trending resources, which are less likely to have appeared in model training data and can receive many downloads over a short period.

According to the researchers, agents asked to clone a popular new repository produced the wrong location as often as 85 percent of the time. For trending skills, the rate could reach 100 percent. Repositories published before 2019 had a mean hallucination rate of 0.9 percent in their tests, while repositories published in 2025 had a mean rate of 92.4 percent.

The authors tested six underlying models: Gemini-2.5-flash, Gemini-2.5-pro, GPT-5.1, GPT-5.2, Sonnet-4.5 and Opus-4.5. They said all six showed predictable naming patterns. One recurring pattern is self-reference, where a model maps a repository name to an owner and repository pair with the same name.

That predictability is what makes the attack scale. An attacker can identify likely hallucinated names, register the available ones on a platform such as GitHub or in a skill registry, and populate the resource with malicious instructions or code. If an agent retrieves it, its terminal access can become the execution path. The paper describes payloads such as reverse shells, which would give an attacker remote control of the victim machine.

Botnet risk, with the usual caveat

The researchers argue that this could support botnets, distributed denial-of-service attacks, cryptomining or larger ransomware campaigns because many independent agents could be tricked without one-by-one targeting. The paper presents that as a capability enabled by the attack model, not as evidence of an active criminal campaign using HalluSquatting in the wild.

Michael Bargury, chief technology officer at Zenity, told Ars Technica the threat is real and compared it to typosquatting, saying agent systems should be built on the assumption that they will be fooled. Independent researcher Johann Rehberger said the work shows that model-driven resource lookup can itself become an attack path.

The practical lesson is unglamorous and annoying: developers still have to verify the exact repository, owner and registry location before letting an AI agent install or run anything. Giving a model a shell does not make it a build engineer. It gives a probabilistic text system a command line, and attackers can register whatever names that system is likely to imagine.

This story draws on original reporting from Ars Technica.

More Internet/

view all ↗