"HalluSquatting" is a newly identified class of cyberattack that exploits the tendency of Large Language Models (LLMs) to hallucinate nonexistent software packages. By predicting these hallucinations and registering the corresponding identifiers, attackers can trick AI coding assistants into downloading malicious code. This pull-based vector represents a significant shift from traditional, push-based prompt injection methods, as it allows for the potential mass infection of developer environments.
The Mechanics of HalluSquatting
Traditional prompt injection attacks—often referred to as "push" attacks—require an adversary to target a specific victim by injecting malicious instructions into content they are likely to consume, such as an email or a calendar invite. This approach limits the scale of the attack because it relies on the victim interacting with the specific malicious content.
HalluSquatting, as detailed in research by Spira et al., operates differently by leveraging the "pull" mechanism inherent in modern AI coding agents. Many AI-assisted coding tools, such as GitHub Copilot, Cursor, and various CLI-based agents, are designed to automatically fetch dependencies or libraries to assist developers. Because LLMs are probabilistic, they sometimes "hallucinate" or suggest package names that do not exist in public repositories like PyPI or npm.
Attackers identify these likely hallucinations and proactively register them in package registries. When a developer’s AI agent suggests one of these nonexistent packages, the agent may attempt to pull the resource from the repository. If the package has been registered by an attacker, the agent inadvertently installs malicious code, such as a reverse shell, directly into the developer’s environment.
Impact on AI Coding Assistants
The threat model specifically impacts tools that integrate LLMs into the development workflow. According to the researchers, the following tools have been identified as susceptible to this vector:

- Cursor and Cursor CLI
- Gemini CLI
- Windsurf
- GitHub Copilot
- Cline
- OpenClaw, ZeroClaw, and NanoClaw
Because these agents often operate with high-privilege command-line access, the successful execution of an attacker’s payload can lead to full system compromise. Unlike previous injection methods, HalluSquatting is indiscriminate; once a package is registered, any AI agent that hallucinates that specific name across the global developer community becomes a potential delivery mechanism.
Comparison: Push vs. Pull Attacks
The transition from push-based to pull-based attacks marks a critical evolution in AI security.

| Feature | Push-Based Attacks | HalluSquatting (Pull-Based) |
|---|---|---|
| Targeting | Individual victims (targeted) | Indiscriminate (at scale) |
| Mechanism | Victim consumes malicious content | LLM fetches hallucinated resources |
| Scalability | Limited by per-victim engagement | High; automated via package registries |
| Primary Goal | Direct prompt manipulation | Dependency confusion/malicious injection |
Mitigating the Risk
The vulnerability stems from the fundamental challenge of ensuring that an LLM can distinguish between legitimate instructions and adversarial input. Because current guardrails often focus on sanitizing inputs rather than addressing the underlying trust relationship between the model and external resources, developers remain at risk.
Worth a look