Researchers from Tel Aviv University, Technion, and Intuit published a paper on July 9 detailing a new class of cyberattack they’ve dubbed “HalluSquatting,” short for adversarial hallucination squatting. The technique weaponizes one of AI’s most well-known flaws: hallucinations, the tendency of large language models to confidently generate information that doesn’t exist.

How HalluSquatting works

When developers ask AI coding assistants to help install a software package or pull code from a GitHub repository, the model sometimes invents a package name that sounds right but doesn’t actually exist. But the researchers found that these hallucinated names are surprisingly predictable. Attackers can figure out which fake names an AI is likely to invent, register those names first, then stuff them with malicious code. When an AI agent later “hallucinates” that exact name and tries to download it, the developer unknowingly pulls in malware.

The success rates are genuinely alarming. Across various test scenarios, LLMs hallucinated incorrect repository names up to 85% of the time. For specific popular GitHub repositories assessed in 2025, the mean hallucination rate surpassed 92%. Some tests targeting particular skill installations hit a perfect 100% hallucination rate.