HalluSquatting: weaponizing hallucinated names to seed agentic botnets
Attackers can pre-register the repository and skill names that coding agents predictably hallucinate, turning a routine 'clone this' prompt into remote code execution at scale.
What is this?
Most prompt-injection attacks assume the attacker has a channel to the victim: an email, a calendar invite, a shared document. A paper published July 8, 2026 — Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting (arXiv, July 8, 2026) — asks a harder question: can you compromise agentic LLM applications at scale when there is no direct channel at all?
Its answer is a technique the authors call adversarial hallucination squatting (“HalluSquatting”). When you ask a coding agent to clone a trending repository or install a popular skill, the model often does not know the exact identifier and simply hallucinates an owner or name. Those hallucinations are not random noise — they are predictable and repeat across models. An attacker who learns which names a model will invent can pre-register them, host a malicious prompt there, and wait for agents to fetch it on their own. It is typosquatting where the “typo” is generated by the model itself. This work extends the earlier finding that code models invent non-existent package names (Spracklen et al., 2025), the basis of “slopsquatting” (Socket) — but instead of poisoning a downstream package, HalluSquatting targets the agent itself at inference time.
How it works
The attack has three steps and needs no victim-specific delivery. First, the attacker picks trending resources — hot GitHub repositories, popular agent skills — and probes foundation models or the agent apps with ordinary prompts (“clone the X repo”) to estimate the probability distribution over the identifiers the model hallucinates. Second, they register the high-probability hallucinated identifiers on the real platform and host adversarial content there. Third, they wait: a legitimate user issues a normal request, the agent confidently emits a git clone or a skill-install command pointing at the attacker’s squatted name, fetches it, and the fetched content behaves as promptware — text engineered to hijack the agent’s own tools.
The measured hallucination rates are the point. Queried directly through their APIs, foundation models hallucinated the owner for 92% of recent trending repositories, and the same squattable slugs recurred across Gemini, GPT and Claude families — evidence the bias lives at the model layer, not the app. The hallucinations also concentrate: in 43% of tested (repository, model) combinations the single most common invented name captured more than half of all responses, and in twelve combinations it exceeded 90%, so one registration intercepts most requests. Across 1,616 unique hallucinated slugs, 18 were registrable and produced by two or more models; several were self-referential (owner equal to repository name) and directly claimable. End to end, the fetched resource led to tool invocation or remote code execution across every production application tested — coding assistants (Cursor, Windsurf, GitHub Copilot, Cline), a CLI (Gemini CLI), and assistants (OpenClaw, ZeroClaw, NanoClaw) — with success rates up to 100% on some skill-install paths. Concrete payloads are redacted in the paper; this write-up describes only the mechanism.
Why it matters
The combination is what makes this dangerous: the attack is untargeted, scalable, and needs no direct channel. An attacker registers a handful of names and any agent, anywhere, that hallucinates one of them becomes a victim — the paper frames the result as a way to stand up an agentic botnet, since a squatted resource can carry an instruction to install a persistent bot on the machine that pulled it. Because the hallucinations transfer across model families and from the raw model into production apps, a single set of squats is universal rather than tied to one vendor. Recency amplifies the effect: the newest trending repositories are the ones least likely to be in training data and therefore the most heavily hallucinated, so the freshest, most-cloned projects are also the softest targets.
Defenses
The paper’s own data points at the primary fix: verify the resource before acting on it. The one application that hallucinated less, Gemini CLI, did so precisely because it sometimes ran a web search to confirm a URL before cloning — where an app checks the identifier against the authoritative registry (GitHub’s API, the skill marketplace) and refuses to clone or install unverified slugs, the model-layer hallucination stops being exploitable. Concretely: resolve every owner/name against source of truth, and never let the agent free-form a repository owner or skill name into a shell command.
Layer defenses on top. Pin and allowlist trusted owners and exact URLs for anything the agent is allowed to fetch. Treat any fetched repository or skill as untrusted content that may contain promptware: sandbox the terminal tool, constrain the agent’s tool scope, and require explicit human approval before running clone, install, or downloaded scripts. Mirror the registry-side playbook used against typosquatting — pre-register or block high-probability hallucinated names for trending resources, and monitor newly created accounts whose names shadow popular projects. On the provider side, reducing identifier hallucination and training models to abstain (“I’m not certain of the exact repository”) instead of confidently inventing a slug removes the raw material the attack depends on. The authors disclosed to affected application vendors, model providers, and framework maintainers before publication.
Status
| Item | State |
|---|---|
| Attack class | Untargeted indirect prompt injection / promptware via squatted hallucinated resource names; public, reproducible research |
| First published | July 8, 2026 (arXiv 2607.07433) |
| Tested applications | Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline, Gemini CLI, OpenClaw, ZeroClaw, NanoClaw |
| Measured effect | 92% owner hallucination on recent trending repos; up to 85% (repo clone) / 100% (skill install) end-to-end; RCE across all tested apps |
| Transferability | Hallucinations recur across Gemini, GPT and Claude families and into app layer |
| Disclosure | Responsibly disclosed to vendors, model providers, framework maintainers; replicable payload details redacted |
| Actionable exploit here | None — defensive/educational synthesis only |