Skip to main content
AI Coding Assistant Hallucinated a BotnetIncident
4 min readFor Security Engineers

AI Coding Assistant Hallucinated a Botnet

Your AI coding assistant just suggested a package that doesn't exist. You accept the suggestion. Moments later, malware is running on your machine.

This isn't theoretical. Researchers at Tel Aviv University documented a new attack class called HalluSquatting that weaponizes AI hallucinations against development teams.

Understanding the Threat

Ben Nassi's group at Tel Aviv University identified a vulnerability in how AI coding assistants fetch and execute code. When these tools hallucinate non-existent package names, attackers can register those fake names and serve malicious code instead.

The researchers tested six major AI coding platforms: Cursor, Windsurf, GitHub Copilot, Cline, Google's Gemini CLI, and the OpenClaw family. All were vulnerable.

The attack works because AI assistants don't just suggest code, they fetch and sometimes execute it automatically. When the AI hallucinates a package name that doesn't exist, it creates a registration opportunity. An attacker who claims that name can serve arbitrary code to any developer whose AI assistant makes the same hallucination.

Attack Timeline

Initial Discovery Phase
The research team queried AI coding assistants for packages and dependencies across multiple scenarios. They documented which non-existent names the assistants consistently hallucinated.

Exploitation Testing
Researchers registered the hallucinated package names and monitored how often AI assistants fetched their malicious payloads. In their experiments, the AI assistant reached for the same wrong name in up to 85% of repository requests and 100% of skill installs.

Verification
The team confirmed the attack worked across different AI platforms and coding contexts. The consistency of hallucinations made the attack reliable enough for botnet creation.

Failed Controls

Input Validation and Sanitization
AI assistants failed to validate that suggested packages actually exist before fetching them. There's no verification step between hallucination and execution.

Least Privilege Execution
These tools run with the same privileges as the developer's IDE. When they fetch malicious code, that code inherits full access to the development environment.

Code Review and Approval
Many AI assistants auto-complete or auto-execute suggested code without requiring explicit developer approval for external dependencies.

Dependency Verification
The tools don't check package signatures, verify publishers, or confirm that a dependency exists in legitimate repositories before fetching it.

Compliance Standards

OWASP ASVS v4.0.3 Requirement 14.2.1 specifies that all components must be from trusted sources and verified. AI coding assistants that fetch arbitrary packages based on hallucinated names violate this requirement.

PCI DSS v4.0.1 Requirement 6.3.2 mandates that custom software includes security features to prevent or mitigate common software attacks. Auto-executing unverified code fails this control.

NIST 800-53 Rev 5 Control SI-3 (Malicious Code Protection) requires mechanisms to detect and eradicate malicious code. AI assistants that blindly fetch hallucinated dependencies bypass this protection entirely.

ISO 27001 Control 8.31 addresses separation of development, test, and production environments. When AI assistants run with production-level access in development environments, they create a direct path for malicious code to reach sensitive systems.

The gap isn't just technical, it's architectural. These AI tools were built for developer productivity without corresponding security controls. They operate outside your existing dependency management and code review processes.

Actionable Steps

1. Inventory Your AI Coding Tools
List every AI assistant your developers use. Include IDE plugins, CLI tools, and browser extensions. Don't assume you know -- developers install these tools without security review. Check your network logs for outbound connections to AI services. Look for packages being fetched from registries you don't recognize.

2. Implement Package Verification
Configure your development environments to require package signature verification. Block unsigned packages by default. Set up a private package registry and proxy all external dependencies through it. This gives you a verification layer between AI suggestions and actual code execution.

3. Restrict AI Tool Permissions
Run AI coding assistants in sandboxed environments with limited filesystem and network access. They don't need write access to your entire codebase. Use separate development accounts with restricted privileges. If an AI assistant fetches malicious code, limit the blast radius.

4. Disable Auto-Execution
Turn off any auto-complete or auto-execute features that run code without explicit approval. Make developers review and accept each suggestion. Configure your IDE to require manual confirmation before installing any dependency, regardless of whether it came from an AI suggestion or a developer's direct input.

5. Monitor Dependency Changes
Set up alerts for new dependencies added to your projects. Flag any package that wasn't in your approved list. Review your dependency graphs weekly. Look for packages you don't recognize, especially ones with names that seem AI-generated or nonsensical.

6. Update Your Threat Model
Add "AI hallucination-based supply chain attack" to your threat model. Document it in your risk register. Include AI coding assistant risks in your vendor security assessments. If you're using GitHub Copilot or similar tools, that's a third-party service with access to your code.

7. Train Your Developers
Explain HalluSquatting to your team. Show them how to verify package names before accepting AI suggestions. Create a policy: any AI-suggested dependency must be manually verified in the official registry before installation. No exceptions.

The 85% hallucination rate isn't a bug to be fixed, it's the nature of how these models work. They generate plausible-sounding names based on patterns, not facts. Until AI vendors implement verification layers, you need to build those controls yourself.

Start with your most sensitive projects. Apply these controls to any codebase that handles customer data, payment information, or authentication. Then expand to the rest of your development environment.

Topics:Incident

You Might Also Like