Chicago IT Support & Cyber Security | Forward Technologies

Chicago-based Forward Technologies delivers IT support and cyber security to businesses in the Chicago area and nationwide.

  • Home
  • Services
    • Outsourced IT Support
    • DMARC Email Security
    • Development
      • Web Development & Facelifts
      • CustomView: Plugin for WordPress
    • Data Recovery Service
    • PPC Marketing Services
    • SEO Services
  • Email Security
    • SPF Basics
    • DKIM Basics
    • DMARC Basics
    • Email Security Consulting
  • Data Recovery Service
  • Blog
  • Contact Us

HalluSquatting Shows Why AI Agents Still Can’t Be Trusted on Their Own

July 8, 2026 by Edward Silha

A cartoon AI coding assistant enthusiastically downloading code from a repository with a convincing but fake name while a hooded hacker quietly celebrates in the background.I’ve said from the beginning that the biggest risk with AI isn’t that it writes bad code. It’s that people are starting to trust it to make decisions it has no business making.

New research drives that point home.

Researchers have uncovered a new attack called HalluSquatting, and it exploits one of AI’s most well-known weaknesses: it would rather make something up than admit it doesn’t know the answer.

That behavior, which we’ve all come to know as hallucination, is no longer just an annoyance. It can now be turned into a weapon.

Here’s how it works.

Developers increasingly rely on AI coding assistants like GitHub Copilot, Cursor, Gemini CLI, Windsurf, Cline, and others to clone repositories, install packages, and automate development tasks. If the AI doesn’t know where a newer project lives, it often invents a repository location that looks believable.

The scary part is those made-up locations aren’t random.

Researchers found they follow predictable patterns.

That means an attacker can register one of those fake repository names before anyone else does, upload malicious code, and simply wait. Eventually an AI assistant hallucinates that exact location, downloads the attacker’s repository, and in many cases executes whatever instructions it finds there.

Think about that for a second.

The attacker isn’t tricking the developer.

The AI is tricking itself.

And because modern coding assistants often have access to command shells, terminals, package managers, and development environments, they can end up installing malware, opening reverse shells, or executing scripts with very little user involvement.

At that point, you’ve effectively turned an AI assistant into a malware delivery platform.

What makes HalluSquatting different from traditional prompt injection attacks is scale.

Most prompt injection attacks require the attacker to target individual users by hiding malicious instructions inside emails, documents, source code, or web pages. Every victim has to encounter that content individually.

HalluSquatting flips the model.

Instead of pushing malicious content toward thousands of users, the attacker registers a malicious repository once and waits for AI agents to come looking for it. As adoption of AI coding assistants continues to grow, that attack scales almost automatically.

Researchers say the technique could be used to build botnets, deploy ransomware, install cryptocurrency miners, or create persistent backdoors across thousands of systems.

The underlying problem isn’t really the attack itself.

It’s that large language models still don’t know how to say three simple words.

“I don’t know.”

Humans verify information when they’re unsure.

LLMs tend to generate an answer that sounds plausible, even when it’s completely fabricated.

That’s manageable when the output is a paragraph or an email draft.

It’s a much bigger problem when the AI has permission to download software and execute commands on your machine.

One of the more interesting findings from the research was how often this happens with newer projects. Older repositories that existed before the models were trained were usually resolved correctly. But newer repositories, especially those created after the model’s knowledge cutoff, were frequently hallucinated. In some cases, the major language models generated incorrect repository locations more than 90 percent of the time.

That’s a staggering number.

It also explains why this attack is so practical.

The attacker doesn’t need to guess what the AI might invent. The models are surprisingly consistent, which makes those fake repository names relatively easy to predict and register ahead of time.

In a lot of ways, this reminds me of the early days of typo-squatting, where attackers registered package names that looked almost identical to legitimate software. The difference is that humans aren’t making the typo anymore.

The AI is.

That shifts the security conversation in a completely different direction.

We’re moving toward AI agents that can write code, install dependencies, deploy infrastructure, and administer systems with very little oversight. Every new permission we hand these tools increases the damage they can do when they inevitably make a bad decision.

That doesn’t mean AI coding assistants aren’t useful.

They absolutely are.

But they still need supervision.

The safest approach is to treat AI the same way you’d treat a brand-new junior developer. Let it do the repetitive work. Let it save time. Just don’t let it make security decisions on its own, and definitely don’t let it blindly download and execute code from the internet without verifying where it came from.

The technology keeps getting better.

The trust model hasn’t.

Filed Under: AI, Blog, Cybersecurity Tagged With: AI hallucinations, AI security, artificial intelligence, botnets, Cline, Cursor AI, cybersecurity, developer tools, Gemini CLI, GitHub, GitHub Copilot, HalluSquatting, large language models, LLMs, malware, prompt injection, ransomware, reverse shell, secure coding, software repositories, software supply chain, typosquatting, Windsurf

Social Media

  • Facebook
  • GitHub
  • LinkedIn
  • Periscope
  • Twitter

Forward Technologies
747 N LaSalle
STE 500B
Chicago, IL 60654
(312) 715-7806

Copyright © 2026 — Forward Technologies • All rights reserved. • Privacy Policy •