HalluSquatting: When AI Coding Helpers Invent Fake Software, Criminals Register It First

Researchers show how attackers can predict the fake package names AI assistants make up, then publish real malware under those names, waiting for developers to install the trap.

ThreatVectr Newsdesk· 4 min read
Photoreal news-editorial image, 16:9, full frame edge to edge
Share

Key points

  • Researchers have named a new attack HalluSquatting, where criminals register software package names that AI coding assistants routinely invent out of thin air.
  • AI coding tools regularly "hallucinate", meaning they confidently suggest software libraries that do not actually exist.
  • Attackers who guess these fake names first can publish real, malicious software under them, so the next developer who trusts the AI ends up installing malware.
  • The technique builds on an older trick called typosquatting, but the bait is invented by the AI itself, not by a human typo.
  • Defences include locking installs to known-good package lists and training developers to verify anything an AI recommends before running it.

AI coding assistants have a well-known bad habit. Ask one where to grab a popular software tool, and it will sometimes reply with a confident, real-sounding name for a project that simply does not exist.

New research, first reported by The Hacker News, turns that quirk into a weapon. The authors call it HalluSquatting.

The idea is simple and unpleasant. Work out which fake names an AI reliably invents. Register those names on the public software libraries developers download from. Then wait.

When the next developer asks the assistant a similar question, the AI hands over the same made-up name. The developer types the install command. The trap springs.

What is actually being attacked here?

The target is the software supply chain: the pipes developers use to pull in ready-made building blocks for their own apps. Sites like npm (for JavaScript code) and PyPI (for Python code) host millions of these free building blocks, called packages. Anyone can publish one.

Normally a developer types something like pip install requests and gets a trusted, popular tool. HalluSquatting abuses that trust.

An AI assistant, asked how to solve a coding problem, might invent a package name that sounds plausible but was never real. If an attacker has already registered that exact name and stuffed it with malicious code, the developer's computer runs the attacker's code the moment they install it.

That can mean stolen credentials, a back door onto the developer's machine, or the malware quietly sliding into whatever product the developer is building. In the worst case, the poisoned code ends up shipped to the developer's customers.

How is this different from typosquatting?

Typosquatting is the older cousin. Attackers register names that look almost identical to popular tools, hoping a developer fat-fingers the spelling. reqeusts instead of requests, that sort of thing.

HalluSquatting flips the source of the mistake. The developer types perfectly. The AI is the one making things up. And because large language models tend to repeat their favourite hallucinations, the same fake name can appear again and again across thousands of conversations. That predictability is exactly what makes the attack economical for criminals.

The researchers found that some invented names surface reliably enough to justify registering them in advance. A patient attacker can seed dozens of fake packages and simply wait for AI-assisted developers to walk into them.

What should developers and companies do?

Treat anything an AI suggests as a hint, not a fact. Before installing a package the assistant mentions, check that it exists on the official registry, look at how long it has been published, and glance at how many people actually use it. Brand-new packages with almost no downloads deserve suspicion.

Larger teams can go further. Lock builds to an approved list of packages. Use private mirrors of npm and PyPI so nothing arrives from the open internet without review. Turn on dependency scanning, which flags known-bad libraries automatically.

And yes, tell the humans. Multi-factor authentication (a second login step, usually a code on your phone) would not have helped here, because nobody's account got broken into. This attack targets trust, not passwords. Training developers to slow down and verify is the honest fix.

The AI is not going to stop hallucinating this quarter. The attackers know it.

© 2026 Threat Vectr