Researchers have identified a new attack technique called HalluSquatting, which exploits the tendency of AI coding assistants to generate plausible but nonexistent software package names. An attacker can predict these hallucinated names, register them on legitimate package repositories, and wait for a developer's AI assistant to fetch and install the malicious payload.

While no specific CVEs or CVSS scores have been assigned yet, the attack is notable for its low barrier to entry and reliance on a fundamental AI behavior. No active exploitation in the wild has been reported, but the researchers warn that the technique could be used to distribute botnet malware or other payloads into development pipelines.

The attack works by identifying patterns in how an AI assistant hallucinates package names for popular tools. Once these nonexistent names are registered as malicious packages, any developer using the assistant to retrieve the tool could inadvertently install the malware. Indicators of compromise include unexpected network traffic from package managers or the presence of unfamiliar package names in dependency files.

No official patches are available, as this is an abuse of AI system behavior rather than a software vulnerability. Mitigation relies on developers reviewing AI-suggested package names against official registries before installation, and on AI providers implementing guardrails to reduce hallucination rates for package recommendations.

Attribution for the research has not been publicly tied to a specific threat actor, but the work highlights growing risks in the AI-assisted software development ecosystem. As AI coding tools become more prevalent, their unique failure modes—like hallucination—represent a new attack surface that security teams must proactively monitor.