← All articles

HalluSquatting registers the fake package names AI coding tools invent

Researchers have shown an attack, called HalluSquatting, that weaponizes the tendency of AI coding assistants to invent plausible-sounding names for software packages that do not exist. The attackers work out which fake names an AI reliably hallucinates, register those names first on a package registry or GitHub, and upload a trap that instructs the coding agent to install a reverse shell or runs code directly. When the assistant fetches the made-up dependency on a developer's machine, it runs the attacker's payload. Tested against nine AI coding assistants, the technique could let attackers pool compromised developer machines into a botnet for crypto mining, denial-of-service attacks, or ransomware.

Check
Review whether developers or AI coding assistants automatically install and run packages the AI suggests, and check that dependencies are verified against known-good sources before installation.
Affected
Developers using AI coding assistants that fetch and run packages; if the assistant hallucinates a package name an attacker has pre-registered, the developer's machine runs attacker code and can join a botnet.
Fix
Do not let AI coding agents install or run fetched packages without human verification, confirm each suggested dependency actually exists and is legitimate, pin known-good dependencies, and isolate agent execution from credentials.