HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers demonstrated HalluSquatting, an indirect prompt-injection technique that can push AI coding assistants to fetch attacker-controlled resources and execute code. The technique abuses predictable hallucinated package or plugin names, turning a naming error into attacker code execution and a plausible path to botnet installation across many machines. In tests against Cursor, Windsurf, GitHub Copilot, Cline, and Gemini CLI, the same wrong name was often reused, showing the attack can be repeatable at scale. The finding raises risk for any assistant with fetch-and-run permissions and limited human review.
Related Happenings
AI coding assistants GhostApproval symlink security flaw
Vulnerability
H score22
First: 09.07.2026 07:27
Last: 09.07.2026 07:27
Sources 1
About this happening:
A **July 8** disclosure identified **GhostApproval**, a **symlink** flaw in **six AI coding assistants** that can redirect approved writes into **~/.ssh/authorized_keys** or **~/....
AI coding assistants GhostApproval symlink security flaw
VulnerabilityAbout this happening: A **July 8** disclosure identified **GhostApproval**, a **symlink** flaw in **six AI coding assistants** that can redirect approved writes into **~/.ssh/authorized_keys** or **~/....
Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints
Defensive Guidance
H score28
First: 08.07.2026 20:02
Last: 08.07.2026 20:02
Sources 1
About this happening:
AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...
Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints
Defensive GuidanceAbout this happening: AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical Analysis
H score22
First: 06.07.2026 09:33
Last: 06.07.2026 09:33
Sources 1
About this happening:
**SKILLCLOAK** shows that malicious **AI coding-agent skills** can be rewritten to evade static scanners while still executing, exposing **credentials**, **source code**, and term...
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical AnalysisAbout this happening: **SKILLCLOAK** shows that malicious **AI coding-agent skills** can be rewritten to evade static scanners while still executing, exposing **credentials**, **source code**, and term...
AI coding assistant adoption becomes near-universal while governance lags in software development teams
Trend
H score16
First: 09.06.2026 18:00
Last: 09.06.2026 18:00
Sources 1
About this happening:
**AI coding assistants** are now used by **97%** of software engineers and DevOps professionals, but only **30%** have fully governed oversight, leaving security and compliance co...
AI coding assistant adoption becomes near-universal while governance lags in software development teams
TrendAbout this happening: **AI coding assistants** are now used by **97%** of software engineers and DevOps professionals, but only **30%** have fully governed oversight, leaving security and compliance co...
AI-driven worm reasons at runtime and self-replicates across a 33-host test network
Technical Analysis
H score40
First: 09.06.2026 14:59
Last: 09.06.2026 14:59
Sources 1
About this happening:
Researchers demonstrated a **proof-of-concept AI-driven worm** that reasons at runtime and self-replicates, showing adaptive host-to-host spread across a **33-host** vulnerable te...
AI-driven worm reasons at runtime and self-replicates across a 33-host test network
Technical AnalysisAbout this happening: Researchers demonstrated a **proof-of-concept AI-driven worm** that reasons at runtime and self-replicates, showing adaptive host-to-host spread across a **33-host** vulnerable te...
Timeline
-
08.07.2026 18:07 2 articles · 1d ago
Researchers disclose HalluSquatting code execution against AI coding assistants
Initial DisclosureResearchers from Tel Aviv University, Technion, and Intuit disclosed HalluSquatting, an indirect prompt-injection technique that targets AI coding assistants by pre-registering hallucinated package or repository names on GitHub or a plugin store, then feeding the assistant attacker-controlled content so its command-running tool executes attacker code. In testing, Cursor, Windsurf, GitHub Copilot, Cline, Google's Gemini CLI, and the OpenClaw family of assistants were driven to run attacker code, with the same wrong name recurring in up to 85% of repository requests and 100% of skill installs; the authors said the technique could help assemble a botnet and that they notified affected vendors, model makers, and marketplace operators before going public.
Show sources
- New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware — thehackernews.com — 08.07.2026 18:07
- New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware — thehackernews.com — 08.07.2026 18:07