Hackers can use 9 of the most popular AI tools to assemble massive botnets

· Source: AI - Ars Technica · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Robotics & Autonomous Systems · Depth: Expert, medium

Summary

Researchers have unveiled HalluSquatting, a novel pull-based prompt injection attack capable of assembling massive botnets and executing large-scale distributed denial-of-service (DDoS) attacks. This attack exploits the inherent tendency of large language models (LLMs) to hallucinate resource identifiers, such as repository or skill names, when prompted by users. It targets nine popular AI coding assistants and agents, including Cursor, Gemini CLI, and GitHub Copilot, which routinely access high-privilege command lines. The attack works by predicting identifiers LLMs are most likely to hallucinate (e.g., up to 85% for repositories, 100% for trending skills), registering these "squatted" names, and embedding malicious instructions like reverse shells. This allows attackers to indiscriminately infect numerous devices at scale, a capability previously unachieved by prompt injection methods. The flaw is foundational across six major LLMs, including Gemini-2.5-flash and GPT-5.2, with hallucination rates reaching 92.4% for newer resources.

Key takeaway

For AI Security Engineers deploying or managing LLM-powered coding assistants, you must recognize that current guardrails are insufficient against scalable prompt injection. Your teams should implement robust validation for all external resource resolution, as LLMs predictably hallucinate identifiers for new or trending packages. Assume agents will be fooled; prioritize resilience and manual verification of resource locations to prevent large-scale botnet formation or data exfiltration.

Key insights

LLMs' predictable hallucination of resource identifiers enables scalable, pull-based prompt injection attacks like HalluSquatting.

Principles

Method

HalluSquatting involves predicting LLM-hallucinated resource identifiers, registering them, and seeding them with malicious instructions (e.g., reverse shells) in repositories or skill files. Coding agents then execute these commands.

In practice

Topics

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, AI Engineer, AI Scientist

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by AI - Ars Technica.