HalluSquatting attack tricks AI agents into running malicious code via hallucinated repos; 85% success rate
Researchers from Tel Aviv University, Technion, and Intuit published a security paper on HalluSquatting—a novel exploit that leverages AI model hallucinations to trick agentic AI into executing malicious code. The attack works by creating fake GitHub repositories with names the model will hallucinate as real (owner/repo patterns, typos of trending projects), then instructing the agent to fetch and run code from that repo. The model, unaware the repo is new and not in its training data, fabricates a plausible "correct" URL and pulls the attacker's malicious code.
Testing showed the hallucination rate for newly-published (2025) GitHub repositories reached 85% across all major models, including Claude Opus 4.5, with near-100% success against trending agentic tools. In application-level testing on Cursor, Windsurf, and OpenClaw, hallucination success rates ranged 20-35% (Cursor, Gemini CLI, Copilot) to 80-100% (OpenClaw variants). The exploit is universally transferable—not tuned to any specific bot architecture—and an attacker could weaponize a single poisoned repository to compromise tens of thousands of agents simultaneously.
Once malicious code executes on a user's machine, attackers gain full access: they can create reverse shells for remote command execution, steal credentials and data, install software, run crypto miners, and leverage the compromised agent (and its attached API keys, cloud credentials) for further attacks. The researchers tested on common tools like Cursor, Windsurf, and OpenClaw. Mitigation is straightforward but requires user discipline: instruct bots to run web searches before installing software, restrict agent access levels (API keys, service accounts), and avoid granting wide machine permissions by default.
For architects deploying agentic systems in production, the implication is stark: an AI agent with tool-calling permissions and filesystem or API access represents a supply-chain risk equivalent to a developer with pull-request permissions. The exploit does not require model fine-tuning or jailbreaking; it exploits hallucination, a property of all current LLMs. Teams must treat agent deployment as infrastructure security, not just model selection.
Sources
- Primary source
- tomshardware.com
“agents can hallucinate potentially malicious code repositories up to 85% of the time”
- tomshardware.com
“success rates for hacking ranged from 20%-35% for Cursor, Gemini CLI, and Copilot, and increased massively to close to 80-100% on OpenClaw”
- tomshardware.com
“Every single model is widely affected, up to and including Anthropic's mighty Claude Opus 4.5”