2 min read

AI Coding Tools Can Be Hijacked for Botnets

Researchers say GitHub Copilot, Gemini CLI, and OpenClaw can be abused via a technique called HalluSquatting to trigger remote code execution.

Image: TechRadar

Botnet

Researchers at Intuit, Technion, and Tel Aviv University say popular AI coding and agent tools can be manipulated into fetching malicious resources and, in some cases, executing code that could help build massive botnets.

The attack is called HalluSquatting, short for adversarial hallucination squatting. It works by exploiting an LLM’s tendency to hallucinate repository or resource identifiers. Instead of a user mistyping a URL, as in typosquatting, the model itself points to a nonexistent or incorrect resource. An attacker can preemptively register that hallucinated destination and plant adversarial prompts there.

According to the researchers, that can be used to achieve remote tool execution and remote code execution at scale.

Recommended reading

Suno hack exposed how much music it scraped

“By preemptively registering hallucinated resources—a technique we call adversarial hallucination squatting (HalluSquatting)—we demonstrate remote tool execution and remote code execution at scale across a range of popular agentic LLM applications, which could be exploited to the establishment of a botnet.”

Researchers, paper introduction summary

Tools affected in the HalluSquatting tests

The paper says the technique was tested against a range of tools, including:

  • GitHub Copilot
  • Gemini CLI
  • OpenClaw
  • ZeroClaw
  • NanoClaw
  • Cursor
  • Cursor CLI
  • Windsurf
  • Cline

The researchers describe this as a blend of earlier pull-based LLM attacks and more traditional push attacks such as code injection. Once a likely hallucinated resource is identified and squatted on, the attacker only needs a user to trigger it. The AI agent then accesses the malicious resource, activates the embedded adversarial content, and enters what the report describes as the promptware attack stage.

At that point, attacker-controlled instructions can be executed, potentially turning a phone or PC into what the report calls a botnet zombie.

Mitigations are possible, but the researchers say they will take coordination. Suggested steps include having LLM developers block direct fetch operations in favor of search tools, and having resource owners adopt stricter naming conventions or globally unique names.

The warning comes as LLM-based malware becomes more common. The report points to JADEPUFFER as a notable example because it is described as a full ransomware attack run entirely by an LLM.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TechRadar

// Keep reading