Share with your CISO
Researchers from Tel Aviv University, Technion, and Intuit have documented a supply chain attack technique they call HalluSquatting, in which attackers predict the fake package and repository names that AI coding agents hallucinate, register those names with malicious code, and wait for the agents to pull the malware autonomously. Tested against GitHub Copilot, Google Gemini CLI, Cursor, and others, the technique succeeded in getting agents to hallucinate false repository names 85% of the time and false skill names 100% of the time. No phishing email required.
What this means for your business
The threat model your security team built around developer behavior no longer covers your actual attack surface. When a GitHub Copilot or Cursor session autonomously installs a dependency without a human confirming the package name, the human is no longer in the kill chain. Your application security controls, code review policies, and developer training programs were all designed for a world where a person typed the package name. That world is receding fast.
The researchers make a point worth internalizing: hallucination rates are highest for recently uploaded, trending packages, precisely because those packages weren’t in the model’s training data. That means the attack surface grows in direct proportion to how current and actively developed your codebase is. The teams moving fastest with agentic coding tools are also the teams with the highest exposure. Speed and risk compound together here, not separately.
The signal worth watching: this attack requires no direct access to your systems and no interaction with your developers. Attackers register names, post malicious packages, and collect infections passively. That passive, infrastructure-level patience is the same playbook that made typosquatting durable for two decades. HalluSquatting will be exploited at scale before most enterprise security teams have updated their software composition analysis tooling to account for it. The question is whether your agentic deployment policies require human confirmation on package installation before that happens.
Concept deep-dive: Agentic supply chain hallucination
Traditional package confusion attacks relied on human typos. HalluSquatting works differently: it exploits the fact that large language models generate plausible-sounding but nonexistent identifiers when asked to retrieve resources they were never trained on. Think of it as the model confidently giving you directions to a street that doesn’t exist, except an attacker has since built a building there. Because agentic coding tools execute terminal commands autonomously, the hallucinated package gets installed without a human ever seeing the name. The business consequence is malware delivery with zero social engineering.
Based on reporting from ‘HalluSquatting’ Compromises AI Coding Agents to Install Malware, Create Botnets, originally published 2026-07-13 04:20:00.

