AI hallucinations are generally considered a problem of wrong answers. But new research suggests they could become a serious security threat.
Researchers from Tel Aviv University, Technion, and Intuit published a paper titled “Beware of Agentic Botnets: Scalable, Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting.” They show how AI models that generate fake links to software repositories or other online resources can be exploited by attackers.
The method is called contradictory hallucination squatting, or HalluSquatting. It works like this: attackers predict which fake resources an AI model is likely to create. Then they record these names and add malicious content. If an AI agent later attempts to use one of these hallucinated resources, it may consider the code or instructions controlled by the attacker as legitimate.
The move to agentic AI
The threat increases as AI assistants go beyond simply answering questions. They now interact directly with computers. They can access files, search the web, write code, and run commands. This makes them powerful but also creates security vulnerabilities. When these agents act on the information they retrieve without verifying whether the source is real, they can be deceived.
“The increasing adoption of LLM agent applications has introduced a new threat previously called promptware,” the researchers wrote. They noted that while previous attacks required direct channels to AI, this method only works over the Internet.
Real-world test results
During testing, the team discovered that the AI models were hallucinating resources at high rates. In repository cloning scenarios, the rate reached 85%. In the skill installation tests, it was 100%. They tested the technique with popular coding assistants and agents, including Cursor, GitHub Copilot, Gemini CLI, and OpenClaw.
Researchers warn that this could be used to create AI-based botnets. A botnet is a network of infected computers or devices controlled remotely by an attacker. They are often used in denial of service attacks, cryptocurrency mining, or ransomware campaigns.
Similar to Typosquatting, but for AI
HalluSquatting is similar to typosquatting. This is a tactic where attackers register domain names that look like real websites or software packages to fool users who type incorrectly. HalluSquatting instead targets errors made by AI models.
This is not the only research on the safety of AI agents. In April, Google researchers showed how malicious websites could hijack AI agents through indirect injection. They demonstrated attacks that included stealing passwords, deleting files, and manipulating payments. Another study on the “CopyPasta” attack showed how hidden prompts in developer files could trick AI coding assistants into delivering malicious code.
In June, an OpenClaw user reported more than 6,000 attempts by attackers to trick the AI agent into disclosing sensitive information. The pattern is clear: as AI agents acquire more abilities, they also become bigger targets. The researchers suggest that developers should be careful about how these agents process external information.
![]()



