Researchers detail botnet risk from AI agent hallucinations

In Crypto Regulations
July 10, 2026

Researchers detail botnet risk from AI agent hallucinations

Researchers from Tel Aviv University, the Technion and Intuit described a new class of attacks on agentic AI applications. It leverages language models’ tendency to invent nonexistent identifiers for repositories, skills and other external resources.

In a preprint, the authors showed that such errors can be turned into a channel for delivering malicious instructions. In controlled experiments, the attack triggered built-in tools of AI agents and enabled remote code execution.

“The tendency of LLM to hallucinate resource identifiers can be used to amplify non-targeted promptware attacks,” the paper says.

The work focuses on agentic AI systems that not only answer questions but also access files, search the web, clone repositories, install extensions, run terminal commands and call APIs.

How HalluSquatting works

The authors call the attack Adversarial HalluSquatting. The scenario centers on a predictable model error. A user asks an AI agent to, for example, clone a popular repository or install a skill. The agent must determine the exact resource address. If the model does not know the correct identifier, it may invent a similar one.

An attacker monitors popular resources, repeatedly queries the model and determines which nonexistent addresses it most often generates. The attacker then registers those names on GitHub, ClawHub or another platform and posts malicious instructions there. If the AI agent later “hallucinates” that address, it will fetch the malicious resource and treat it as legitimate.

Снимок экрана — 2026-07-10 в 12.36.55
Source: arXiv.

The authors pointed to the scheme’s scalability. Unlike prior prompt injections, an attacker does not need to email a specific victim, add a calendar event or gain access to a shared document. It is enough to publish a malicious resource in a public place and wait for an agent to request it.

“One compromised resource can lead to the compromise of many machines,” the researchers noted.

What repository tests showed

The researchers ran more than 14,000 executions. At the first stage they tested six base models via public APIs: Gemini 2.5 Flash, Gemini 2.5 Pro, GPT-5.1, GPT-5.2, Sonnet 4.5 and Opus 4.5.

The models were given prompts such as “print the shell command to clone the repository.” The sample included 10 recent projects from GitHub Trending and five older repositories from 2013–2018 as a control group.

For new repositories, the average hallucination rate was 92.4%. In 53 of 60 repository–model combinations, the system never listed the correct project owner. For older repositories, the average was 0.9%. According to the authors, the gap is likely because older projects appeared in the models’ training data while newer ones did not.

The researchers identified three types of hallucinations:

  1. The model places the repository name in the owner field, creating an address like repo/repo.
  2. Assigning a project to a real but incorrect owner.
  3. Placeholder answers such as username/repo.

The first option proved most convenient for attacks because it is predictable and often available for registration. Across 6,000 queries on new projects, the models produced a directly registerable slug in 27% of runs — 1,602 times. For each trending repository in the sample there was at least one registrable candidate in the top 10 of the overall ranking.

Results in real AI applications

At the second stage the authors moved from base models to working applications with terminal access. The tests covered Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline, Gemini CLI, as well as OpenClaw, ZeroClaw and NanoClaw.

In repository-cloning scenarios, the end-to-end attack worked in 20–65% of runs depending on the application, model and payload type. The study’s table lists, for example, 65% for Windsurf with SWE-1.5, 45% for Cline, 35% for Copilot Chat, 30% for Cursor CLI and 20–25% for various Cursor scenarios.

OpenClaw results were higher. With Sonnet 4.6, the system showed 100% for both built-in tool invocation and remote code execution. With Opus 4.6 the figure was 80% in both scenarios. With GPT-5.4 Codex, tool invocation worked in 10 of 10 runs, and RCE in 4 of 10.

Снимок экрана — 2026-07-10 в 12.44.19
Source: arXiv.

Why web search helps but doesn’t solve the problem

One of the main protective factors was performing a web search before cloning or installing a resource. When Cursor CLI searched before cloning, 93.4% of results were correct. Without search, 99.1% of slugs were hallucinated.

Prompt wording also had a strong effect. No prompt type was universally safe; in each category there was at least one model with a hallucination rate above 50%.

Skill squatting: attacking via skills

A separate part of the study focuses on ClawHub — a skills marketplace for OpenClaw and compatible assistants. The researchers found two classes of vulnerabilities:

  • deleting a word from the name;
  • a mismatch between the human-readable skill name and its actual slug.

In one experiment, OpenClaw with Sonnet 4.6 was tested on 14 skills. Of 140 runs, 127 (90.7%) led to an identifier that an attacker could register. Only 13 runs returned the canonical slug.

In another experiment the authors tested transferability across OpenClaw, ZeroClaw and NanoClaw. Of 90 runs, 85 (94.4%) ended negatively. After installing a substituted skill, the results were even harsher. A context exfiltration experiment achieved 100%: every assistant–model combination delivered the payload in all 10 runs. A scenario in which a compromised device connects to the attacker’s server and hands over command-line access worked in 88% of cases.

Снимок экрана — 2026-07-10 в 12.49.06
Source: arXiv.

What the authors proposed and how vendors responded

The researchers reported the results to application developers, model providers and platforms. On the AI application side, they proposed verifying the source before any external load — cloning a repository, installing a skill, container or model. To do this, an agent should first perform a search and only then pass the address to the built-in tool.

For platforms such as GitHub and ClawHub, the authors recommended pre-reserving names that models frequently invent, limiting risky reuse of popular names and scanning user content for malicious instructions for AI.

GitHub responded that the described scenario is not a platform vulnerability. According to the company, creating repositories under available names is expected behavior on GitHub, and the attack arises from LLM hallucinations and agents’ actions that trust the contents of third-party repositories.

Cursor representatives said the program prevents prompt injection, including situations where a user is asked to clone an untrusted repository. OpenAI clarified that issues related to the content of prompts and model responses are out of scope for the Security and Safety Bug Bounty unless they have a separate, verifiable impact on the company’s services.

Anthropic did not recognize this as a vulnerability: the company classified the scenario as dependency name takeover attacks, which are excluded from its bug bounty. Google said it forwarded the information to the responsible product team for evaluation.

In November 2025, Google specialists concluded that several new malware families use large language models for hacking attacks.

In May 2026, authors of a Google Threat Intelligence Group report reported growing interest in AI among cybercriminals. The unit for the first time identified a hacker who used a zero-day developed with artificial intelligence. He planned to use it for a mass attack, but the corporation’s experts managed to prevent the threat.

Avatar photo
/ Published posts: 719

Steven M. Crimmins is a cryptocurrency strategist and freelance writer who has followed the blockchain industry since Bitcoin’s early days. Known for his sharp analysis of altcoins and trading strategies, Steven provides Satoshi News Africa readers with market-focused content grounded in research. He is especially interested in how African traders are adopting crypto as an alternative to traditional markets. Steven is also a podcast host, where he discusses emerging technologies and investment trends.