344
Productivity & Workflow355
Automation & Workflow224
Software Development251
Marketing & Growth192
AI Infrastructure & MLOps174
Writing & Content Creation203
Data & Analytics141
Design & Creative170
Photography & Imaging156
Customer Support131
Sales & Outreach125
Voice & Speech135
Education & Learning131
Operations & Admin87
A new prompt injection method can trick AI coding assistants into pulling fake code and running it, which could help attackers build large botnets.
In short: Researchers say a new attack called HalluSquatting can trick popular AI coding assistants into downloading and running harmful code at scale.
Security researchers described a technique they call HalluSquatting, short for “adversarial hallucination squatting.” It targets AI coding assistants and “agents” (tools that can take actions for you, like downloading code and running commands). The researchers say the method could let attackers infect many computers without picking targets one by one.
The idea relies on something many AI tools do wrong. When a user asks the assistant to “install” or “clone” a software project, the AI may guess the wrong location for it. This is a form of “hallucination,” which in plain terms means the AI makes something up instead of saying “I don’t know.” The researchers report that for newer and trending projects, models often guess wrong, and those wrong guesses tend to follow predictable patterns.
An attacker can register the made-up project name first, like grabbing a confusingly similar address before someone else does. Then, when an AI tool tries to fetch that project during normal work, it may pull the attacker’s version. The researchers say the attacker can hide instructions or code that installs a “reverse shell” (a back door that lets an attacker remotely control a computer).
Tools named as susceptible include Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw.
If AI coding tools are allowed to run downloads automatically, a single fake project could spread widely, like a counterfeit part entering many repair shops at once. The researchers warn this could be used to build botnets (groups of hijacked computers) for attacks like DDoS (overwhelming a website with traffic) or to spread ransomware.
Source: Arstechnica