HalluSquatting: AI agent hallucinations enable agentic botnets

Researchers from Tel Aviv University, Technion, and Intuit warn that AI agents can be weaponised using a new technique called HalluSquatting. The core issue is LLM hallucinations: models confidently invent non-existent code or repository/package names. Attack flow: when developers use AI coding assistants to install packages or clone GitHub repos, HalluSquatting can cause the agent to “hallucinate” a plausible name. Attackers pre-register and publish malicious code under those predicted names. If the agent later tries to fetch the same hallucinated resource, the developer unintentionally installs malware. Reported results: in tests, hallucination-driven compromise rates reached up to 85% for repository cloning and up to 100% for skill installation scenarios. The work also notes that hallucination rates are high on popular GitHub resources evaluated in 2025, with many cases averaging above 92%. Why traders should care: compromised agents with terminal access can be chained into “agentic botnets”, expanding “promptware” risk beyond earlier squatting attacks. Such botnets are commonly linked to denial-of-service, ransomware, and crypto mining. The researchers disclosed findings to vendors and model providers, with sensitive details redacted to limit immediate exploitability. Bottom line for crypto markets: this is a security risk affecting software supply chains and AI tooling, which can indirectly raise operational risk for ecosystems that rely on AI development and automation.
Neutral
The report highlights a software/AI security threat (HalluSquatting) that could enable agentic botnets and potentially crypto mining. However, it does not directly identify a specific cryptocurrency, protocol, or on-chain ecosystem with immediate token-specific effects. Therefore, the most likely market reaction is limited to broader risk sentiment around AI-enabled cyber threats, rather than a clear direction for any single coin’s price. In the short term, it may slightly increase perceived operational risk for tech-adjacent projects, but with vendor disclosures and redactions, the immediate tradable impact is likely modest. Over the long term, the main effect would be on security tooling and development practices—not on underlying crypto fundamentals.