Hackers can use 9 of the most popular AI tools to assemble massive botnets
New research reveals 'HalluSquatting,' a technique where hackers exploit AI hallucinations to distribute malware via deceptive software packages.

This article is original editorial commentary written with AI assistance, based on publicly available reporting by Ars Technica. It is reviewed for accuracy and clarity before publication. See the original source linked below.
A startling new vulnerability in the world’s most popular large language models (LLMs) has been unearthed, revealing a sophisticated attack vector dubbed "HalluSquatting." Security researchers have demonstrated that at least nine of the industry’s leading AI tools, including those developed by OpenAI, Google, and Meta, can be manipulated into recommending non-existent software libraries to developers. By preemptively registering these "hallucinated" package names on public repositories like GitHub or PyPI, malicious actors can trick users into downloading infected code. This marks a significant shift in cyber threat intelligence, as the very tool designed to boost developer productivity is becoming a primary vehicle for supply chain attacks.
The phenomenon of "hallucinations"—where an LLM confidently asserts false information as fact—has been a persistent thorn in the side of generative AI since the launch of ChatGPT. While initially viewed as a humorous quirk or a minor reliability issue, the security implications are now coming into sharp focus. Historically, developers relied on search engines or community forums like Stack Overflow, where human moderation provided a thin layer of defense against malicious suggestions. However, the move toward "AI-first" development workflows has removed that friction, creating a vacuum where speed often supersedes manual verification.
Mechanically, HalluSquatting functions by exploiting the probabilistic nature of LLMs. When a developer asks an AI for a specific coding solution, the model may generate a plausible-sounding library name that does not actually exist. The attacker, having identified these recurring hallucinations through large-scale testing, registers the domain or package name and fills it with malicious payloads. When a developer copies the suggested command into their terminal, they unknowingly grant the attacker access to their local environment or corporate network. This is not a failure of the software's code execution, but a psychological hack of the developer’s trust in the AI’s competence.
The implications for the technology industry are profound and troubling. As enterprises rush to integrate AI coding assistants like GitHub Copilot and Amazon CodeWhisperer to speed up product cycles, the surface area for supply chain attacks is expanding exponentially. This creates a "trust gap" that could slow the adoption of these tools among security-conscious firms. Furthermore, it shifts the burden of liability; if an AI suggests a dangerous action, who is responsible? The developer who followed the prompt, the company that built the model, or the maintainer of the repository? Current regulatory frameworks are ill-equipped to answer these questions, leaving a legal gray area that attackers are eager to exploit.
Beyond the immediate technical threat, HalluSquatting signals a new era of "poisoning" the digital commons. If AI models continue to ingest their own output or the output of other models—a cycle known as model collapse or data incest—the prevalence of these hallucinations could increase. This creates a feedback loop where non-existent packages become codified in the AI’s training data, making them appear even more legitimate to the next generation of users. The integrity of open-source ecosystems, which the global economy relies upon, is now facing a structural threat that cannot be patched with a simple software update.
Looking forward, the industry must pivot toward "verifiable generation." We are likely to see the emergence of secondary security layers—AI "fact-checkers"—that sit between the LLM and the user, cross-referencing every suggested library against live databases of verified software. Developers should also expect a shift in how package managers operate, perhaps incorporating stricter identity verification for new registrants. The era of blind faith in AI-generated code is coming to an end; the next phase of the AI revolution will be defined not by how much these models can build, but by how effectively we can verify that what they build is safe.
Why it matters
- 01HalluSquatting leverages AI's tendency to invent non-existent software libraries to trick developers into installing malicious code.
- 02The bypass of human moderation in AI-assisted coding creates a new, direct pipeline for supply chain attacks against enterprise networks.
- 03The discovery necessitates a shift toward verifiable AI outputs and stricter security protocols for open-source package repositories.