Researchers from Tel Aviv University, Technion, and Intuit introduced a cyberattack technique called Adversarial HalluSquatting that exploits AI-generated hallucinations to compromise AI agents. The attack tricks AI systems into trusting fake software repositories or tools containing malicious instructions by predicting which nonexistent resources AI models are likely to generate, registering those names, and embedding harmful code. The vulnerability emerges as AI assistants gain abilities to interact with computers—accessing files, searching the web, writing code, and running commands—creating security gaps when agents act on unverified information they retrieve.
The research paper titled "Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting" detailed how the attack exploits AI models when they generate fake links to software repositories and other online resources. The researchers wrote that the growing adoption of agentic LLM applications introduced a threat called promptware. The attack method involves predicting which fake resources AI models are likely to create, registering those names, and adding malicious instructions that AI agents may later treat as legitimate content.
The technique operates similarly to typosquatting, where attackers register domain names resembling legitimate websites or software packages. HalluSquatting targets mistakes made by AI models rather than human typing errors. The researchers stated that ongoing studies demonstrated various promptware attack variants against real-world systems including ChatGPT, Google Assistant, Copilot, and various additional applications, leading to financial, privacy, and safety impacts.
The research team found AI-generated resource hallucinations occurred at rates as high as 85% in repository cloning scenarios and 100% in skill installation tests. The team evaluated the technique against AI coding assistants and agents including Cursor, GitHub Copilot, Gemini CLI, and OpenClaw. Tests against these popular AI coding assistants showed the method could lead to remote code execution in controlled experiments.
The researchers warned the technique could allow attackers to build AI-enabled botnets. A botnet refers to a network of infected computers or devices controlled remotely by an attacker, commonly used in cyberattacks including denial-of-service attacks, cryptocurrency mining, malware distribution, and ransomware campaigns. The security gaps emerge when agents act on information they retrieve without confirming whether the source is real.
In April, Google researchers detailed malicious websites designed to hijack AI agents through indirect prompt injection attacks, including attempts to steal passwords, delete files, and manipulate payments. A separate study on the CopyPasta attack showed how hidden prompts inside developer files could manipulate AI coding assistants into spreading malicious code. In June, an OpenClaw user reported facing more than 6,000 attempts from attackers attempting to trick the AI agent into leaking sensitive information.
What is Adversarial HalluSquatting and how does it work? Adversarial HalluSquatting is a cyberattack technique introduced by researchers from Tel Aviv University, Technion, and Intuit that exploits AI-generated hallucinations. The attack involves predicting which fake resources AI models are likely to create, registering those names, and adding malicious instructions that AI agents may later treat as legitimate content when they retrieve the hallucinated resource.
Which AI systems were tested for HalluSquatting vulnerability? The research team evaluated the technique against AI coding assistants and agents including Cursor, GitHub Copilot, Gemini CLI, and OpenClaw. Tests showed AI-generated resource hallucinations occurred at rates as high as 85% in repository cloning scenarios and 100% in skill installation tests, with the method leading to remote code execution in controlled experiments.
What other AI security attacks have researchers documented? In April, Google researchers detailed malicious websites designed to hijack AI agents through indirect prompt injection attacks including password theft attempts, file deletion, and payment manipulation. A separate study on the CopyPasta attack showed how hidden prompts inside developer files could manipulate AI coding assistants into spreading malicious code. In June, an OpenClaw user reported facing more than 6,000 attempts from attackers attempting to trick the AI agent into leaking sensitive information.
Related News
OpenAI Releases ChatGPT Work for Extended Task Automation
Ethereum Foundation Uses AI Agents to Discover Network Vulnerabilities
OpenClaw Foundation is officially operational, with OpenAI, NVIDIA, and Microsoft as the first batch of partners.
C 羅 USWR token "deepfake" video and audio exposure, widely circulated across multiple platforms in early July.