Researchers warn AI agents could be hijacked through fake resources
A new paper says AI hallucinations can be exploited when autonomous agents trust made-up repositories, tools or links controlled by attackers.
By Dev Ramirez · Crypto Correspondent
· 3 min read
AI agents that browse the web, write code and run commands may create a fresh security risk when they trust resources they invented themselves. For investors watching the AI buildout, the warning is straightforward: the more autonomy these tools get, the more their mistakes can turn into real-world exposure.
Researchers from Tel Aviv University, Technion and Intuit described the risk in a paper titled “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting.” The team said attackers could exploit AI hallucinations, which are false or made-up outputs from a model, by registering fake software repositories or online resources that AI systems are likely to cite.
The method is called adversarial hallucination squatting, or HalluSquatting. It works by anticipating the names of resources an AI model may fabricate, taking control of those names, and planting malicious instructions there. If an AI agent later searches for that made-up resource and retrieves the attacker-controlled page, repository or tool, it may treat the content as trustworthy.
How the attack works
The researchers said the threat is tied to “agentic” large language model applications. A large language model, or LLM, is the AI system behind tools that generate text, code or other outputs. Agentic applications go further than chat: they can access files, search online, install tools, write code and execute commands on a user’s computer.
That added freedom creates a bigger attack surface. A chatbot that gives a bad answer may waste time. An agent that follows a bad instruction can take action inside a live computing environment.
The paper groups this kind of malicious instruction as “promptware,” a term the researchers use for attacks that manipulate LLM applications through prompts or prompt-like content. The team wrote that earlier work had shown promptware attacks against systems including ChatGPT, Google Assistant, Copilot and other applications, with potential financial, privacy and safety effects.
In controlled tests, the researchers said AI-generated resource hallucinations appeared at rates as high as 85% in repository cloning scenarios and 100% in skill installation tests. The team tested the technique against AI coding assistants and agents including Cursor, GitHub Copilot, Gemini CLI and OpenClaw.
The researchers also said the method could lead to remote code execution in controlled experiments. Remote code execution means an attacker can cause software to run commands on another machine, a serious class of vulnerability because it can move an attack from a misleading response into system-level activity.
Why botnets enter the picture
The paper warns that HalluSquatting could be used to help build AI-enabled botnets. A botnet is a group of compromised computers or devices that an attacker controls remotely. Botnets are commonly used for denial-of-service attacks, cryptocurrency mining, malware distribution and ransomware campaigns, according to the researchers’ discussion of the risk.
The concept resembles typosquatting, where attackers register domains or software package names that look like legitimate ones. HalluSquatting shifts the target from human typing errors to AI-generated mistakes: the attacker does not need a user to mistype a name if the model fabricates one and the agent follows it.
The researchers’ warning lands as companies push AI assistants deeper into software development and operational workflows. Their core point is that autonomy changes the cost of hallucination: a made-up link can become an execution path if an agent is allowed to fetch, trust and run what it finds.
This story draws on original reporting from Decrypt.