« All posts

HalluSquatting: How AI Coding Agents Turn Into a Botnet

AI coding tools like Cursor, Copilot, and Gemini CLI can hallucinate package names that attackers pre-register with malware, turning normal agent use into silent compromise.

A July 2026 report identified a shared weakness across popular AI coding agents — Cursor, GitHub Copilot, Gemini CLI, Windsurf and others — where models frequently hallucinate plausible but nonexistent package or repo names when asked to clone trending code or install helper tools. Dubbed HalluSquatting, the technique inverts classic prompt injection: rather than targeting a specific victim, attackers predict which names a model is likely to hallucinate, pre-register those names on GitHub or package registries with malicious payloads like reverse shells, and wait. Any agent that hallucinates the same name and auto-installs it without human verification becomes compromised, making this a botnet-assembly method that scales with a tool's popularity rather than attacker effort.

Existing defenses structurally miss this attack. Prompt injection filters scan for adversarial input, but here the hallucinated output itself is the threat; SCA scanners and CVE databases can't flag brand-new packages created specifically for the attack, since they have no vulnerability history. Code review typically happens too late, as cloning and execution often occur in the same automated session before a human ever sees the diff.

Sentinel's SlopScan integration addresses this by checking every package name extracted from LLM output against live PyPI/npm data before the agent acts on it, evaluating existence and trust score rather than relying on CVE blocklists. This lets it catch both nonexistent hallucinated names and freshly registered malicious packages with no reputation, independently of the main threat-scoring pipeline — meaning a prompt can look completely clean while still triggering a package-risk flag.

The broader lesson is that hallucinated package names are an inherent model property, not something prompt engineering can eliminate. Teams running autonomous coding agents need a verification layer between a model's suggestion and an agent's execution; for Sentinel users, enabling SlopScan is a simple dashboard toggle that closes this gap without touching agent prompting logic.