Researchers at Tel Aviv University, Technion, and Intuit have published a study documenting “HalluSquatting,” an attack technique that chains two AI coding assistant failure modes — package name hallucination and prompt injection — to execute attacker code on developer machines at scale. The research found that nine widely deployed AI coding tools hallucinate non-existent package names with up to 85% consistency for trending repositories and 100% consistency for trending skills, giving attackers a reliable prediction of which package names to preemptively register with malicious payloads.
How HalluSquatting Chains LLM Package Name Hallucinations With Prompt Injection
The attack exploits a two-stage failure. In the first stage, an AI coding assistant invents a plausible-sounding package name that does not exist in any legitimate registry — a hallucination that the model presents to the developer as a real dependency recommendation. In the second stage, an attacker who has predicted or observed this hallucinated name registers it on npm or PyPI with a malicious package containing a prompt injection payload embedded in the package’s readme or metadata.
When the developer asks the AI coding assistant to install the recommended dependency, the assistant attempts to install the preregistered malicious package. The prompt injection payload in the package’s contents then hijacks the AI’s behavior, redirecting it from installing a dependency to executing attacker-supplied code on the developer’s machine. The developer initiated a routine dependency installation; the result is attacker code running on their workstation with full user-level privileges.
The 85% and 100% Hallucination Rates That Make Preemptive Package Registration Viable
The researchers documented two hallucination rate thresholds that establish HalluSquatting as a scalable attack rather than an opportunistic one. When AI coding tools were asked to clone a trending repository, they hallucinated a non-existent package name up to 85% of the time. When the task involved a trending skill — asking the tool to add a dependency for a capability area rather than a specific project — hallucination rates reached 100%. At 100% consistency, an attacker does not need to test which package name a given tool will hallucinate for a given prompt; the hallucination is predictable enough to register the name in advance and wait for developer installation requests to arrive.
The 100% rate for trending skills is particularly significant because skill-based installation prompts are the most common real-world usage pattern for AI coding agents: a developer asks the agent to add authentication, add a payment processor, or add a caching layer — exactly the prompts that consistently produce hallucinated names at the rates the researchers documented.
How the react-codeshift npm Package Documented Real-World HalluSquatting Before This Research
A documented real-world precedent from January 2026 predates the researchers’ publication by months. Aikido Security researcher Charlie Eriksen discovered that the npm package react-codeshift — a name that AI coding tools had collectively hallucinated in generated instructions — had already been registered by an unknown party. By the time Eriksen identified it, the malicious package had spread to 237 code projects. AI agents continued to attempt installation of react-codeshift daily even after discovery, because the hallucination persisted across the tools’ responses regardless of the package’s registration status or content. The react-codeshift case confirms that HalluSquatting works in production conditions, not just in a controlled research environment.
The Nine AI Coding Tools Found Vulnerable to HalluSquatting
The researchers tested nine AI coding tools and found all nine vulnerable: Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw. The list spans the most widely deployed AI coding assistants in both enterprise and independent developer contexts — tools that collectively serve millions of active users writing code daily.
The vulnerability is not a software bug that an individual vendor can patch in the conventional sense. The hallucination behavior emerges from the underlying language model’s training and cannot be fully eliminated without changing how the model reasons about unfamiliar dependency requests. Vendors can add package verification steps — checking that a named package actually exists in a registry before recommending installation — but the researchers’ findings suggest that no tool tested in this study had such a verification step in place at time of publication.
Why HalluSquatting Creates a Botnet-Assembly Vector Rather Than Targeted Attack Potential
The researchers frame HalluSquatting as a botnet-assembly mechanism rather than a targeted attack tool. A single preemptively-registered hallucinated package name, once included in the hallucination pattern of multiple popular AI coding tools, can reach large numbers of developer machines simultaneously — each attempt by a developer to install the recommended package is an independent infection event. Because AI coding tools serve millions of users and the hallucination behavior is consistent across the same class of prompts, a well-chosen hallucinated package name accumulates installation attempts automatically, without any further action by the attacker beyond the initial package registration.
