AI hallucinations are usually seen as a problem of wrong answers. But new research suggests they could become a serious security threat.
Researchers from Tel Aviv University, the Technion, and Intuit have published a paper titled “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting.” They show how AI models that generate fake links to software repositories or other online resources can be exploited by attackers.
The method is called adversarial hallucination squatting, or HalluSquatting. It works like this: attackers predict which fake resources an AI model is likely to create. Then they register those names and add malicious content. If an AI agent later tries to use one of these hallucinated resources, it may treat the attacker-controlled code or instructions as legitimate.
The Shift to Agentic AI
The threat is growing because AI assistants are moving beyond just answering questions. They now interact directly with computers. They can access files, search the web, write code, and run commands. This makes them powerful but also creates security gaps. When these agents act on information they retrieve without checking if the source is real, they can be tricked.
“The growing adoption of agentic LLM applications has introduced a new threat previously named as promptware,” the researchers wrote. They noted that while previous attacks required direct channels to the AI, this method works through the internet alone.
Real-World Test Results
In testing, the team found AI models hallucinate resources at high rates. In repository cloning scenarios, the rate was up to 85%. In skill installation tests, it was 100%. They tested the technique against popular coding assistants and agents, including Cursor, GitHub Copilot, Gemini CLI, and OpenClaw.
The researchers warn this could be used to build AI-enabled botnets. A botnet is a network of infected computers or devices controlled remotely by an attacker. They are often used in denial-of-service attacks, cryptocurrency mining, or ransomware campaigns.
Similar to Typosquatting, but for AI
HalluSquatting is similar to typosquatting. That is a tactic where attackers register domain names that look like real websites or software packages to trick users who type wrong. HalluSquatting targets mistakes made by AI models instead.
This is not the only research on AI agent security. In April, Google researchers showed how malicious websites could hijack AI agents through indirect prompt injection. They demonstrated attacks that stole passwords, deleted files, and manipulated payments. Another study on the “CopyPasta” attack showed how hidden prompts in developer files could make AI coding assistants spread malicious code.
In June, an OpenClaw user reported over 6,000 attempts by attackers to trick the AI agent into leaking sensitive information. The pattern is clear: as AI agents gain more abilities, they also become bigger targets. The researchers suggest that developers need to be cautious about how these agents handle external information.
![]()

