AI Agents Could Be Turned Into Botnets Through Hallucinations, Researchers Warn
New research shows AI hallucinations can be exploited as a security attack vector, not just a source of wrong answers. The technique, called HalluSquatting, targets AI agents that create fake links or references to software repositories and online resources. Attackers predict likely hallucinated names, register those resources, and embed malicious instructions. If an AI agent later retrieves the fake source, it may trust attacker-controlled content as legitimate. The risk grows as AI assistants gain the ability to browse, access files, write code, and run commands without verifying sources. Researchers tested the method against tools including Cursor, GitHub Copilot, Gemini CLI, and OpenClaw, finding hallucinated resources in up to 85% of repository-cloning cases and 100% of skill-installation tests. The approach could enable scalable botnets and other attacks affecting privacy, finances, and system safety.
