AI coding assistants have a habit of inventing things that don't exist. Attackers just figured out how to make that a business model.

The trick is called HalluSquatting, and researchers walked through it in a report this week. When you ask a coding assistant to grab a package or install a skill, it will sometimes confidently recommend a repository name that isn't real. That part isn't new. What is new is that the wrong names are surprisingly consistent. Ask Cursor, Copilot, or Gemini CLI the same kind of question and they tend to hallucinate the same fake name, over and over. Attackers just need to register that name first.

The researchers tested nine of the most popular AI coding tools, including Cursor, Windsurf, GitHub Copilot, Cline, Google's Gemini CLI, and the OpenClaw family. All nine were successfully tricked into running attacker-supplied code once the fake repo was in place. Hallucinated names showed up in up to 85% of repository requests and 100% of skill installs, no matter which model was answering.

"There is no single CVE to patch here," the researchers wrote, which is a polite way of saying this isn't a bug in one product. It's a property of how the whole category works.

Michael Bargury, the CTO of AI security firm Zenity, framed it as typosquatting for the AI era. Typosquatting is when someone registers a domain like gooogle.com and waits for people to fat-finger their way in. Same idea here, except the assistant is doing the typing. "It's a problem that's not going away," Bargury said. "At the end of the day, it's about the level of agency we allow our agents."

That's really the story. The ransomware side of this we covered last week with JADEPUFFER, where an agent ran a full extortion campaign end to end. HalluSquatting is the quieter version and probably the more common one. Instead of hijacking an agent, you just wait for the agent to walk into a trap it built for itself.

Johann Rehberger, an independent security researcher, described the mechanism in plain terms: attackers can probe models to figure out which fake names they hallucinate most often, register those names, and then sit back while the AI keeps sending developers their way. The model becomes the distribution channel.

The scale is already showing up. Phoenix MPI tracked 59 supply-chain attack campaigns over the past year, and a single worm event in May produced more malicious packages than a quarter of the manual campaigns combined. That's what worries people. Not that any one attack is devastating, but that automation is stacking them faster than defenders can respond.

The tooling to catch this isn't ready either. Trend AI Security found that reasoning-enabled agents cut hallucinated package suggestions roughly in half, and real-time validation checks helped further, but nothing closed the gap. David Slater, co-founder of Armadin, told Axios the industry is still barely measuring the right things: "We are very far away from measuring whether this thing can, in a real environment, do something dangerous."

Into the Valley

The uncomfortable part of all this is that AI coding tools are being trusted with more autonomy than the security around them can support. Developers are shipping code they didn't fully write, pulling in packages they didn't fully verify, and installing skills from marketplaces nobody is really auditing. HalluSquatting works because the assistant is confident and the developer is busy, and there is no version of that equation that gets safer as more people adopt these tools. If a company wants to know where its next breach is coming from, it might want to check what its engineers have been vibe coding this week.