Hackers can use 9 of the most popular AI tools to assemble massive botnets

Ars Technica News

Summary

Researchers have devised a pull-based prompt injection attack called HalluSquatting that exploits AI coding assistants' tendency to hallucinate resource identifiers, enabling the assembly of massive botnets and large-scale attacks.

<p>In the brief history of AI security, the prompt injection has quickly become the top threat. Large language models are inherently unable to distinguish between legitimate instructions provided by users and malicious ones sneaked into emails, source code, and other third-party content the models are processing. This makes it trivial to surreptitiously inject malicious commands that the LLM readily follows.</p> <p>With no way to enforce this crucial boundary between trusted and untrusted sources, AI engine developers are left to erect elaborate guardrails designed to mitigate the damage rather than solve the root cause.</p> <p>To date, most prompt injections have fallen into a class known as push, in which each potential victim is targeted. For example, the adversary injects malicious instructions into an individual email or calendar invitation. Because the injection must then be sent (or pushed) to each specific target, the scale of the attack is limited, hampering mass exploits that hit the Internet at large.</p><p><a href="https://arstechnica.com/security/2026/07/hackers-can-use-9-of-the-most-popular-ai-tools-to-assemble-massive-botnets/">Read full article</a></p> <p><a href="https://arstechnica.com/security/2026/07/hackers-can-use-9-of-the-most-popular-ai-tools-to-assemble-massive-botnets/#comments">Comments</a></p>
Original Article
View Cached Full Text

Cached at: 07/08/26, 08:17 AM

# Hackers can use 9 of the most popular AI tools to assemble massive botnets Source: [https://arstechnica.com/security/2026/07/hackers-can-use-9-of-the-most-popular-ai-tools-to-assemble-massive-botnets/](https://arstechnica.com/security/2026/07/hackers-can-use-9-of-the-most-popular-ai-tools-to-assemble-massive-botnets/) In the brief history of AI security, the prompt injection has quickly become the top threat\. Large language models are inherently unable to distinguish between legitimate instructions provided by users and malicious ones sneaked into emails, source code, and other third\-party content the models are processing\. This makes it trivial to surreptitiously inject malicious commands that the LLM readily follows\. With no way to enforce this crucial boundary between trusted and untrusted sources, AI engine developers are left to erect elaborate guardrails designed to mitigate the damage rather than solve the root cause\. To date, most prompt injections have fallen into a class known as push, in which each potential victim is targeted\. For example, the adversary injects malicious instructions into an individual email or calendar invitation\. Because the injection must then be sent \(or pushed\) to each specific target, the scale of the attack is limited, hampering mass exploits that hit the Internet at large\. Meanwhile, pull\-based attacks, in which an LLM actively seeks out the adversarial prompts planted on websites, remain limited\. With no way to lure large numbers of LLMs to a malicious site, these sorts of attacks don’t scale either\. ## Enter HalluSquatting Now, researchers have devised a pull\-based attack that changes all that\. A new attack the researchers have named HalluSquatting has the potential to assemble massive botnets, perform large\-scale DDoSes, and infect devices at scale, a first for prompt\-injection attacks\. The attack works against AI coding assistants and agents, including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw, which are all susceptible\. In the normal course of performing day\-to\-day activities, these assistants and agents routinely pull code and other resources from repositories and registries\. [![](https://cdn.arstechnica.net/wp-content/uploads/2026/07/hallusquatting-threat-model-640x281.png)](https://cdn.arstechnica.net/wp-content/uploads/2026/07/hallusquatting-threat-model.png) The HalluSquatting threat model\. Credit: Spira et al\. The HalluSquatting threat model\.Credit: Spira et al\. Short for adversarial hallucination squatting, HalluSquatting is built on an LLM’s inherent tendency to hallucinate the resource identifiers hosted in repositories and registries\. It works against coding agents and assistants, which commonly access high\-privilege command lines to run code from third\-party resources\. By predicting the identifiers LLMs are most likely to hallucinate and then registering and seeding them with instructions to install reverse shells or other malicious wares, the attack can indiscriminately infect massive numbers of devices without having to target each one\.

Similar Articles

Cybercriminals Are Making Powerful Hacking Tools With AI, Google Warns

Reddit r/artificial

Google warns that cybercriminals and nation-state actors are increasingly using AI to rapidly develop sophisticated hacking tools, including the first confirmed AI-generated zero-day exploit. The report highlights how AI lowers the technical barrier for cyberattacks, enabling even low-skilled hackers to execute complex operations.

Google DeepMind Researchers Map Out Ways Hackers Hijack AI Agents

Reddit r/artificial

Google DeepMind researchers published a paper titled 'AI Agent Traps' that maps six attack types hackers can use to hijack autonomous AI agents, including content injection, semantic manipulation, and behavioral control traps, and proposes layered defenses.

What happened after 2k people tried to hack my AI assistant

Hacker News Top

An AI assistant called Fiu, built on OpenClaw and Claude Opus 4.6, survived over 6,000 email-based prompt injection attacks from 2,000 people without leaking its secret. The experiment highlights the effectiveness of model-level prompt injection resistance and cost/operational challenges.