Find notable cyber news and cases, enriched with sources, timelines, and signals.

HalluSquatting indirect prompt-injection attack on AI coding assistants

Technical Analysis
First reported
Last updated
Happening score
H score 3
1 unique sources, 1 articles

Summary

Hide ▲

Researchers demonstrated HalluSquatting, an indirect prompt-injection technique that can push AI coding assistants to fetch attacker-controlled resources and execute code. The technique abuses predictable hallucinated package or plugin names, turning a naming error into attacker code execution and a plausible path to botnet installation across many machines. In tests against Cursor, Windsurf, GitHub Copilot, Cline, and Gemini CLI, the same wrong name was often reused, showing the attack can be repeatable at scale. The finding raises risk for any assistant with fetch-and-run permissions and limited human review.

Related Happenings

AI coding assistants GhostApproval symlink security flaw

Vulnerability
H score22 First: 09.07.2026 07:27 Last: 09.07.2026 07:27 Sources 1

About this happening: A **July 8** disclosure identified **GhostApproval**, a **symlink** flaw in **six AI coding assistants** that can redirect approved writes into **~/.ssh/authorized_keys** or **~/....

Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints

Defensive Guidance
H score28 First: 08.07.2026 20:02 Last: 08.07.2026 20:02 Sources 1

About this happening: AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...

SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware

Technical Analysis
H score22 First: 06.07.2026 09:33 Last: 06.07.2026 09:33 Sources 1

About this happening: **SKILLCLOAK** shows that malicious **AI coding-agent skills** can be rewritten to evade static scanners while still executing, exposing **credentials**, **source code**, and term...

AI coding assistant adoption becomes near-universal while governance lags in software development teams

Trend
H score16 First: 09.06.2026 18:00 Last: 09.06.2026 18:00 Sources 1

About this happening: **AI coding assistants** are now used by **97%** of software engineers and DevOps professionals, but only **30%** have fully governed oversight, leaving security and compliance co...

AI-driven worm reasons at runtime and self-replicates across a 33-host test network

Technical Analysis
H score40 First: 09.06.2026 14:59 Last: 09.06.2026 14:59 Sources 1

About this happening: Researchers demonstrated a **proof-of-concept AI-driven worm** that reasons at runtime and self-replicates, showing adaptive host-to-host spread across a **33-host** vulnerable te...

Timeline

  1. 08.07.2026 18:07 2 articles · 1d ago

    Researchers disclose HalluSquatting code execution against AI coding assistants

    Initial Disclosure

    Researchers from Tel Aviv University, Technion, and Intuit disclosed HalluSquatting, an indirect prompt-injection technique that targets AI coding assistants by pre-registering hallucinated package or repository names on GitHub or a plugin store, then feeding the assistant attacker-controlled content so its command-running tool executes attacker code. In testing, Cursor, Windsurf, GitHub Copilot, Cline, Google's Gemini CLI, and the OpenClaw family of assistants were driven to run attacker code, with the same wrong name recurring in up to 85% of repository requests and 100% of skill installs; the authors said the technique could help assemble a botnet and that they notified affected vendors, model makers, and marketplace operators before going public.

    Show sources