{*}
Add news
March 2010 April 2010 May 2010 June 2010 July 2010
August 2010
September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 June 2012 July 2012 August 2012 September 2012 October 2012 November 2012 December 2012 January 2013 February 2013 March 2013 April 2013 May 2013 June 2013 July 2013 August 2013 September 2013 October 2013 November 2013 December 2013 January 2014 February 2014 March 2014 April 2014 May 2014 June 2014 July 2014 August 2014 September 2014 October 2014 November 2014 December 2014 January 2015 February 2015 March 2015 April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 April 2016 May 2016 June 2016 July 2016 August 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017 March 2017 April 2017 May 2017 June 2017 July 2017 August 2017 September 2017 October 2017 November 2017 December 2017 January 2018 February 2018 March 2018 April 2018 May 2018 June 2018 July 2018 August 2018 September 2018 October 2018 November 2018 December 2018 January 2019 February 2019 March 2019 April 2019 May 2019 June 2019 July 2019 August 2019 September 2019 October 2019 November 2019 December 2019 January 2020 February 2020 March 2020 April 2020 May 2020 June 2020 July 2020 August 2020 September 2020 October 2020 November 2020 December 2020 January 2021 February 2021 March 2021 April 2021 May 2021 June 2021 July 2021 August 2021 September 2021 October 2021 November 2021 December 2021 January 2022 February 2022 March 2022 April 2022 May 2022 June 2022 July 2022 August 2022 September 2022 October 2022 November 2022 December 2022 January 2023 February 2023 March 2023 April 2023 May 2023 June 2023 July 2023 August 2023 September 2023 October 2023 November 2023 December 2023 January 2024 February 2024 March 2024 April 2024 May 2024 June 2024 July 2024 August 2024 September 2024 October 2024 November 2024 December 2024 January 2025 February 2025 March 2025 April 2025 May 2025 June 2025 July 2025 August 2025 September 2025 October 2025 November 2025 December 2025 January 2026 February 2026 March 2026 April 2026 May 2026 June 2026 July 2026
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
20
21
22
23
24
25
26
27
28
29
30
31
News Every Day |

HalluSquatting AI attack could hijack your computer

You ask an artificial intelligence assistant to download a popular software tool. It confidently finds the project, retrieves the files and starts setting everything up. There is one problem. The AI found the wrong project. That mistake may sound like another frustrating AI hallucination. However, researchers have shown how an attacker could turn that wrong answer into a malware delivery system.

The technique is called HalluSquatting. It targets AI tools that can browse the internet, retrieve software and run commands on your computer. An attacker could use it to steal sensitive information or quietly recruit your device into a botnet, a network of infected devices controlled remotely.

In a recent research paper, researchers from Tel Aviv University, Technion and Intuit detailed HalluSquatting and tested it against popular AI coding tools and personal assistants. Here is how the attack works and what you can do before an AI assistant downloads the wrong file.

Free live CyberGuy class: Sick of Spam? Join us July 22.

Join us Wednesday, July 22, at 1 p.m. ET for a free CyberGuy Live class that will help you cut down on robocalls, spam texts, junk email and other unwanted messages. Kurt "CyberGuy" Knutsson will walk you step by step through simple ways to filter spam, clean up your inbox and recognize the messages that could put your personal information at risk. No technical experience is needed. You’ll also receive our spam-stopping checklist, and every registrant will get a link to the class recording afterward.

Reserve your free spot today at CyberGuyLive.com.

HACKERS THREATEN TO LEAK DATA FROM 275M USERS AFTER BREACHING MAJOR COLLEGE PLATFORM USED NATIONWIDE

AI hallucinations happen when a model invents information and presents it as accurate. That could be a fake statistic or a software project that never existed. HalluSquatting focuses on fake software resources.

AI coding assistants sometimes need the full online address of a software repository. However, you may only give the assistant a project name. The AI must then determine who owns the project and where the official files live. When it does not know the answer, it may guess.

An attacker can repeatedly ask AI models to locate a popular or trending project. That process may reveal fake repository names the models invent regularly. The attacker can then register one of those names before someone else does. As a result, the AI's imaginary project becomes a real online trap.

First, the attacker identifies a software project or AI skill that is gaining attention. Newer resources may create a larger opportunity because an AI model may have little reliable information about them. Next, the attacker studies how different AI models respond when asked to locate that resource. The researchers found that models can repeat the same fake names across different prompts.

The attacker then creates a repository, software package or AI skill using one of those hallucinated names. Malicious instructions can be placed inside its files, setup scripts or documentation. Later, you ask your AI assistant to retrieve the real project. Instead, the assistant invents the attacker-controlled name and downloads those files.

The assistant may then read the hidden instructions as part of its assigned task. If the assistant has access to a terminal, it could also run the attacker's commands. Those commands may download more software or search files stored on the computer. The unsettling part is that you may never enter the wrong name. The AI creates the mistake and then acts on it.

AI CHATBOTS TAKE HEAT OVER LEFT-WING BIAS: ‘NO LONGER BE CONSIDERED NEUTRAL’

Unlike a basic chatbot, an autonomous AI agent can take actions on your behalf, including browsing websites and running commands. A regular chatbot may give you a broken link. You click it, discover that it goes nowhere and close the page. An AI agent can go much further. Agentic AI tools can download files, install software and operate a computer terminal. Those abilities make the tools useful.

However, they also give prompt injection attacks more power when an agent follows malicious instructions. The researchers showed that malicious instructions inside a squatted resource could trigger remote tool execution or remote code execution. In other words, the AI assistant could run an attacker's commands on the computer where the assistant operates.

The potential damage depends heavily on the assistant's permissions. An agent with broad file access creates a much larger risk. The danger also grows when the agent can run commands without asking for approval.

The researchers examined Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline and Gemini CLI. They also tested OpenClaw and related personal AI assistants. Hallucination rates reached as high as 85% during repository-cloning scenarios. Some skill-installation tests reached 100%.

The researchers also found that hallucinated names could transfer across different foundation models. In other words, several AI systems might invent the same fake resource. The team successfully demonstrated remote tool execution and remote code execution against production AI applications with integrated terminals.

However, the researchers used controlled resources and harmless test payloads. The study did not document a widespread criminal HalluSquatting campaign. Still, the research shows that the attack path can work.

One finding offers a clear clue about how AI companies could reduce the danger. An AI assistant should search for a repository or package before downloading it. That search can help confirm whether the resource exists and who owns it. However, AI tools do not always perform that search.

The assistant may rely on its training data instead. If the project is unfamiliar, the model may generate a convincing but incorrect answer. Researchers and security experts recommend requiring AI agents to perform live lookups before they clone, fetch or install outside resources.

Even a search cannot guarantee safety. An attacker may have already registered the hallucinated name. Therefore, the assistant must also verify the resource's owner, history and connection to the official developer.

A botnet is a collection of compromised devices controlled by an attacker. Criminals can use botnets to spread malware, mine cryptocurrency or overwhelm online services. Traditional botnets often spread through software flaws or weak passwords. They may also target large groups of similar connected devices. HalluSquatting proposes another delivery route.

An attacker could plant one malicious resource and wait for AI agents to pull it onto unrelated computers. Those computers could run different operating systems and sit on separate networks. The common weakness would be the AI agent's willingness to trust a hallucinated resource.

The researchers describe how this setup could support an "agentic botnet." The AI would deliver the malicious instructions and run the commands needed to install the botnet malware. However, the team did not release a real botnet. Researchers also withheld attack details that criminals could directly reuse.

AI companies can make searches mandatory before agents retrieve outside resources. They can also require human approval before an agent runs downloaded code. Stronger warnings should appear when a resource has little history or comes from an unverified owner.

Meanwhile, software platforms could identify frequently hallucinated names before attackers register them. Platforms may also restrict the reuse of well-known project names under unrelated accounts. Security layers that inspect downloaded instructions could reduce exposure. However, researchers warn that no single control can remove the entire risk.

The HalluSquatting researchers notified affected vendors before publishing their work. They also withheld details that they believed attackers could reuse. The paper does not claim that every tested application has released a complete fix. HalluSquatting reflects a broader weakness in how AI agents generate and trust resource names.

HalluSquatting depends on an AI assistant trusting an unverified resource and acting with little supervision. These steps can interrupt that chain before an attacker gains access to your computer.

Do not rely on an AI-generated repository name alone. Visit the developer's official website. Then, follow its link to the correct repository or software download page. Check the account owner as well as the project name. An attacker may use a familiar project name under an unrelated account. You should also review the repository's history. A newly created account with little activity deserves extra scrutiny.

Tell the assistant to perform a live web search before cloning, fetching or installing a resource. Ask it to show you the official owner and full address before it takes action. Then, compare that information with the developer's website. This step can reduce the chance that an AI model will rely on an invented name. Still, you should review the result yourself before approving a download.

Avoid modes that allow an AI agent to run terminal commands without asking you first. Some coding tools call these auto-run, skip-permissions or unrestricted modes. The exact wording depends on the application. Require approval for each command, especially when the AI downloads an outside file. Also stop the process when the assistant cannot clearly explain what a command will do.

Read the full command before approving it. Be cautious when a command connects to an unfamiliar website or downloads an additional script. Commands that change security settings also deserve close attention. Do not approve a command because the AI says it is safe. Verify unfamiliar commands through official documentation.

Avoid running an AI coding assistant with administrator access unless the task requires it. Only give the agent access to the files needed for the current project. Keep tax records, personal documents and private photos outside its working folders. In addition, remove integrations the agent no longer needs. Those may include cloud storage accounts or workplace systems. An attacker can cause less damage when the compromised agent has fewer permissions.

Test unfamiliar AI-generated code inside an isolated environment. A virtual machine, development container or sandbox can separate the code from the rest of your computer. If something goes wrong, the malicious activity may remain contained. Security researchers also recommend isolated installation environments for AI-generated package commands.

Strong antivirus software can add another layer of protection. It may detect a malicious download, suspicious script or unexpected attempt to change your system. Some security tools can also block connections to known dangerous websites. However, antivirus software cannot guarantee that an AI assistant will select the correct repository. You still need to verify the source and review commands. Keep real-time protection enabled. In addition, allow the software to update its threat definitions automatically. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com

AI coding tools may work with passwords, access tokens or API keys. Those credentials can give an attacker access to valuable accounts. Do not store sensitive credentials in plaintext project files. Instead, use secure environment variables or a trusted secrets manager. Use strong and unique passwords for important accounts. A password manager can create and store them. Also turn on two-factor authentication wherever it is available. That can make a stolen password harder to use.

Install updates for your operating system, browser and AI applications. Updates may fix security problems or add stronger approval controls. They may also improve how an AI tool verifies outside resources. However, HalluSquatting relies partly on AI hallucinations. Therefore, software updates alone may not remove the risk.

Businesses and development teams should limit which software sources AI agents can access. Teams can create allowlists for trusted publishers. They can also pin package versions and verify cryptographic hashes. Automated dependency scanners may flag known vulnerabilities before software reaches a live system. Software bills of materials can help teams track where each component came from. They also make it easier to identify affected projects after a security problem appears.

Review the agent's activity history when the application provides one. Look for unexpected downloads or commands you do not remember approving. New software, unusual pop-ups or unexplained computer slowdowns may also warrant a closer look. If you suspect that an AI agent ran malicious code, disconnect the computer from the internet. Then, run a full antivirus scan. Change important passwords from a different trusted device. You should also revoke exposed API keys or access tokens.

We already know AI can confidently make things up. HalluSquatting shows what can happen when an AI tool acts on its own bad answer. An assistant may invent a software address and download files controlled by an attacker. If the agent has terminal access, it may also run malicious instructions using your permissions. The research does not show that HalluSquatting attacks are suddenly infecting computers everywhere. However, it exposes a security gap that AI companies need to address as agents gain more control. For now, do not give an AI assistant unlimited freedom to install software or run commands. Verify every source, keep approval controls turned on and use strong security software as a backup layer.

How much control would you feel comfortable giving an AI assistant over your computer before it has to stop and ask for permission? Let us know by writing to us at Cyberguy.com

Sign up for my FREE CyberGuy Report

Copyright 2026 CyberGuy.com. All rights reserved.

Ria.city






Read also

Fraud expert warns AI is helping criminals outpace the government: 'Don't have the right tools'

Why KFC stopped calling itself Kentucky Fried Chicken — and the myths that still won't die

MLB Power Rankings: Here are October contenders, pretenders

News, articles, comments, with a minute-by-minute update, now on Today24.pro

Today24.pro — latest news 24/7. You can add your news instantly now — here




Sports today


Новости тенниса


Спорт в России и мире


All sports news today





Sports in Russia today


Новости России


Russian.city



Губернаторы России









Путин в России и мире







Персональные новости
Russian.city





Friends of Today24

Музыкальные новости

Персональные новости