A new attack methodology has been identified, exploiting an inherent limitation in artificial intelligence (AI) models and having the potential to compromise thousands of computers. According to Ars Technica, this discovery affects nine popular tools used by programmers, demonstrating how a feature of AI assistants can be exploited by criminals.
The HalluSquatting Attack Mechanism
The attack was named HalluSquatting and capitalizes on a common characteristic of large language models (LLMs): when they cannot identify a specific project, they tend to invent an address instead of stating ignorance. Although it seems like a mere technical detail, this is where the risk materializes. Criminals pre-register these invented addresses, insert malicious code, and wait for a programming assistant to automatically attempt to access them.
Scalability of the Attack Vector
Unlike most prompt injections, which require a specific action against each target, HalluSquatting reverses this logic. It is the AI agents themselves that search for projects during their routine activities. Researchers indicated that the scalable nature of this attack allows the attacker to compromise a large volume of users with minimal effort. If the developer requests the installation of a newly launched project and the system fails to find the address, they may inadvertently access the page prepared by the criminal.
Focus on Recent Projects
Tests revealed that LLMs can correctly locate most projects published before 2019. However, among launches from 2025, the average hallucination rate reaches an impressive 92.4%. Since these projects are not yet part of the models' training set, there is a higher probability of the AI generating non-existent addresses. The research team also managed to map predictable patterns in these responses, facilitating the advance registration of these names by attackers.
Risks Associated with Hallucination
If the malicious code is executed, the affected computer can be integrated into a network controlled remotely by the criminals. The dangers pointed out include the formation of botnets, ransomware attacks, distributed denial-of-service (DDoS) attacks, and illegal cryptocurrency mining. Michael Bargury, CTO of Zenity, classified the situation as a 'very interesting research' and a 'very real threat.' Johann Rehberger added that the way LLMs locate projects could evolve into a new attack vector.
The research emphasizes the continuous need for human supervision over AI assistants. It is crucial to verify the origin of any suggested project, library, or component automatically before installing it, as this simple precaution can prevent a model hallucination from becoming a security vulnerability.

