Danny Weber
Researchers show how attackers can exploit invented GitHub links and trick AI agents into installing malicious code instead of the real tool.
Researchers from Tel Aviv University have described a new HalluSquatting attack that exploits AI agent hallucinations. The issue is that models can confidently invent repository, library or tool names when they do not know the exact address of a project. For agents allowed to install and run code, that mistake can quickly turn into a real risk for the user’s device.
The attack relies on the predictable nature of these hallucinations. When a new popular repository appears and is not yet reflected in a model’s training data, a bot may “guess” a similar GitHub address: it might confuse the project owner, repeat the tool name in the author field or simply make a typo. An attacker can register a repository with that variant in advance and place malicious code there, making it look like the original project.
When a user asks an AI agent to install or run the needed tool, the model may choose the fake repository instead of the real one. The agent then downloads and runs someone else’s code with the permissions the user gave it. The fallout can be serious: stolen data and access keys, malware installation or a compromised machine becoming part of a broader attack.
According to the authors, modern models make mistakes especially often with new projects. For trending repositories from 2025, the average error rate when identifying the project owner reached roughly 92%, and in some scenarios involving agent skills it rose to 100%. Coding tools performed better but still raised concerns: in Cursor, Gemini CLI and Copilot, the attack success rate was estimated at 20–35%, while OpenClaw and its variants could approach 80–100%.
The researchers’ main advice is clear: do not give AI agents broad permissions or let them install code without checking the source. Bots should be explicitly told to look for the official repository, verify links and use extra context. But as long as many users run agents with access to files, API keys and service accounts for convenience, HalluSquatting exposes a basic weakness in that approach.
© RusPhotoBank