Hackers can use 9 of the most popular AI tools to assemble massive botnets

by | Jul 17, 2026 | Technology

News summary produced by Claude AI

Security researchers have discovered a vulnerability in popular AI coding assistants and agents that could allow attackers to create large-scale botnets and conduct distributed denial-of-service attacks. The attack, named HalluSquatting, exploits a fundamental weakness in how large language models identify and retrieve code repositories and resources.

The attack targets nine widely-used AI tools including Cursor, GitHub Copilot, Gemini CLI, Windsurf, and others that regularly access code repositories during normal operations. Unlike previous prompt injection attacks that required targeting individual users, HalluSquatting operates at scale by leveraging an inherent tendency of LLMs to hallucinate—incorrectly predict—the locations of resources. Researchers found that when users request code cloning or resource installation, current LLMs misidentify repository locations up to 85 percent of the time for popular repositories, and 100 percent of the time for trending resources not present in training data.

The attack works by identifying commonly hallucinated resource names, registering those names with malicious code repositories, and waiting for AI assistants to retrieve them. When coding agents access these fraudulent repositories, they execute embedded instructions to install reverse shells and other malicious software on users’ machines. The technique draws parallels to typosquatting—registering domain names similar to legitimate ones—which has been exploited since at least 2016.

Research from Tel Aviv University and other institutions found that all six major LLMs tested follow predictable hallucination patterns when resolving resource identifiers. Notably, the models correctly identify older repositories published before 2019 less than one percent of the time but misidentify 2025 repositories with a 92.4 percent error rate. Once compromised at scale, these infected devices could be aggregated into botnets for cryptocurrency mining, ransomware distribution, or large-scale cyberattacks.

Security experts responding to the research characterize the threat as significant and persistent. The fundamental issue stems from allowing AI agents high-level access to system terminals and command lines while the underlying LLMs cannot reliably distinguish between legitimate and malicious instructions, creating a gap that current guardrails cannot fully address.

Article Attribution | Read More at Article Source