New AI Vulnerability HalluSquatting Discovered, Enabling Command Injection Attacks
Researchers have disclosed a new AI vulnerability named HalluSquatting that exploits language models' tendency to 'hallucinate' incorrect code repository addresses.

Researchers from Tel Aviv University, the Technion, and Intuit have identified a new artificial intelligence vulnerability, dubbed HalluSquatting. This exploit targets how AI models interact with external tools and repositories, specifically by leveraging what are known as AI 'hallucinations'.
The vulnerability allows AI agents to generate seemingly plausible but incorrect addresses for code repositories. When an AI is instructed to use a tool or script, and it encounters an unfamiliar or newly created repository name, it may invent a valid-looking URL pointing to a malicious version instead of the intended one. This can happen even if the AI performs a web search, potentially leading it to a deceptive link.
Successful exploitation could result in the execution of malicious code on a user's system. Potential consequences include the establishment of reverse shells, data and credential theft, installation of further malware, or cryptocurrency mining.
Studies indicate that the rate of these address 'hallucinations' can be high for newer code repositories, reaching up to 85%. The success rate of attacks varies depending on the AI agent used; some, like OpenClaw, show success rates nearing 80-100%, while others such as Gemini CLI and Copilot have reported success rates between 20-35%.