Researchers from Tel Aviv University, the Israel Institute of Technology, and Intuit have revealed a new attack method called "Adversarial HalluSquatting" in the paper "Beware of Proxy Zombie Networks: Achieving Scalable Unidirectional Promptware Attacks via Universal and Transferable Adversarial HalluSquatting," which exploits AI hallucination phenomena to trick AI agents into downloading malicious code.
HalluSquatting Attack Mechanism: Technical Principles of Predicting AI Hallucination Resources and Pre-Registering
According to the researchers, the attack steps of HalluSquatting involve predicting potential false links generated by AI models pointing to software repositories and online resources, pre-registering these under the same names, and embedding malicious commands within them. When AI agents attempt to retrieve these hallucinated resources, they interpret the attacker-controlled content as legitimate and execute it.
This mechanism is similar to traditional "typosquatting" in cyberattacks—typosquatting exploits human typing errors, whereas HalluSquatting targets AI model hallucination errors. As AI assistants expand from answering questions to accessing files, searching the web, writing code, and executing commands, the scope of this threat significantly increases.
Test Data: 85% in Code Repositories and 100% in Skill Installations
Based on the researchers' testing results, the hallucination occurrence rates for HalluSquatting attacks are as follows:
Code repository cloning scenario: 85% hallucination rate
Skill installation scenario: 100% hallucination rate
The team tested four major AI coding assistants and agents:
Cursor: Affected
GitHub Copilot: Affected
Gemini CLI: Affected
OpenClaw: Affected
Frequently Asked Questions
What is a HalluSquatting attack, and how does it differ from traditional cyberattacks?
According to the researchers, HalluSquatting involves predicting potential false resource links generated by AI models, pre-registering these under the same names, and embedding malicious commands. Unlike traditional typosquatting, which exploits human typing errors, HalluSquatting targets AI hallucination errors. The research paper was jointly published by Tel Aviv University, the Israel Institute of Technology, and Intuit.
Which AI tools are affected by HalluSquatting attacks?
Tests show that AI coding assistants such as Cursor, GitHub Copilot, Gemini CLI, and OpenClaw are all affected; hallucination rates reach 100% in skill installation scenarios and 85% in code repository cloning scenarios. The specific impact levels and mitigation measures depend on official security notices from each tool's developers.
How could HalluSquatting lead to the formation of AI zombie networks?
The researchers explain that if an AI agent retrieves malicious resources controlled by an attacker and treats them as legitimate, the attacker can remotely execute code through these agents, forming a zombie network composed of compromised AI agents. Such networks could be used for denial-of-service attacks, cryptocurrency mining, malware distribution, and ransomware attacks. Specific attack scenarios are detailed in the research paper.