Researchers Expose 'HalluSquatting' — A New LLM Attack That Tricks AI Coding Assistants into Installing Malware
Researchers from Tel Aviv University and collaborating institutions have disclosed a novel large language model (LLM) attack technique called HalluSquatting. Attackers identify external resource names — such as package repositories or AI agent skills — that LLMs are prone to hallucinating, register those names in advance, and embed adversarial prompt content within them. When an AI coding assistant fetches these fabricated resources, it may execute attacker-controlled malicious instructions.

Highlights
- Tel Aviv University researchers disclosed HalluSquatting, a new LLM attack technique that weaponizes AI hallucination to deliver malicious content via fake external resources.
- Attackers pre-register repository or AI agent skill names that LLMs are statistically likely to hallucinate, embedding adversarial prompt instructions inside those resources.
- AI coding assistants operating in agentic workflows are the primary target — if they autonomously fetch a poisoned resource, attacker-controlled commands may execute on the developer's machine.
- HalluSquatting merges LLM hallucination with software supply chain attack methods, bypassing human error and targeting automated AI behavior directly.
- Researchers note the technique is broadly applicable across LLMs used to recommend or retrieve external resources, with specific tested platforms not yet publicly disclosed.
Researchers from Tel Aviv University and collaborating institutions have disclosed a novel attack technique targeting large language models (LLMs), dubbed HalluSquatting.
How HalluSquatting Works
The attack exploits a well-known weakness in LLMs: hallucination — the tendency to confidently generate plausible-sounding but fabricated information. In this case, attackers systematically identify the specific names of external resources, such as software package repositories or AI agent skills, that a target LLM is statistically likely to invent when responding to developer queries.
Once these "phantom" resource names are identified, the attackers register them on legitimate platforms before any genuine resource exists under those names — a tactic analogous to traditional domain squatting or typosquatting, but targeting AI-generated references rather than human typos.
The registered resources are then loaded with adversarial prompt content — instructions designed to manipulate the behavior of any AI system that subsequently ingests them.
The Threat to AI Coding Assistants
The critical risk emerges when an AI coding assistant — operating in an agentic workflow where it can autonomously fetch and execute external resources — pulls one of these malicious packages or skills. At that point, the attacker-controlled instructions embedded within the resource may be executed, potentially enabling:
- Malware installation on the developer's machine
- Data exfiltration from the development environment
- Supply chain compromise if the affected code is pushed downstream
Implications for the Industry
HalluSquatting represents a convergence of two threat vectors: LLM hallucination and software supply chain attacks. Unlike conventional phishing or dependency confusion attacks that rely on human error, HalluSquatting specifically targets the automated, agentic behavior of AI development tools — an attack surface that is growing rapidly as AI coding assistants become more deeply integrated into software development pipelines.
The researchers have not yet disclosed which specific LLMs or platforms were tested, but noted that the technique is broadly applicable across models that are used to recommend or retrieve external resources.
Security teams and developers using AI coding assistants are advised to audit the packages and external resources recommended by AI tools before installation, and to implement strict allow-listing policies in agentic AI workflows.
原文來源: 查看原文
FAQ
Newsletter
Subscribe to our Low-Altitude Industry Newsletter
Daily curated news on low-altitude economy and drone industry, delivered to your inbox.
Reviewed and published by the LAETimes editorial desk ·


