Sources
- Ars Technica AI
Join the community
Create your free Charmloop account — no credit card, no limits on browsing. Start making AI art in minutes.

Create your free Charmloop account — no credit card, no limits on browsing. Start making AI art in minutes.

Security researchers have demonstrated a technique called HalluSquatting that turns AI hallucinations into a botnet-building pipeline — and nine of the most widely used AI tools are susceptible, according to reporting by Ars Technica.\n\n## Key takeaways\n\n- HalluSquatting is an attack that registers fake software packages matching names AI tools hallucinate, then waits for users to install them.\n- Researchers found nine major AI platforms — including widely used coding and creative assistants — will confidently recommend these non-existent or malicious packages.\n- The attack exploits a core LLM weakness: models cannot reliably say "I don't know" and instead fabricate plausible-sounding package names.\n- Users who follow AI-generated install instructions without independently verifying package sources are the primary targets.\n- No patch exists for the underlying hallucination problem; the fix is behavioral, not technical.\n\n## How HalluSquatting actually works\n\nThe mechanics are straightforward and that's what makes them dangerous. When an LLM doesn't know the exact name of a software library or tool, it doesn't stay silent — it generates a plausible-sounding answer. Attackers monitor these hallucinated package names, register them on public repositories like PyPI or npm before any legitimate package claims them, and then load those packages with malware. Anyone who asks an AI assistant "how do I install X?" and follows the output verbatim becomes a potential entry point.\n\nThe term "squatting" comes from typosquatting, the older practice of registering near-identical domain names to catch mistyped URLs. HalluSquatting is the same idea applied to AI outputs at scale — except the AI is doing the typo-generation automatically, and consistently, across millions of queries.\n\nResearchers tested nine prominent AI tools and found all of them would, under the right prompting conditions, recommend packages that don't exist. The specific platforms weren't all named in early coverage, but the breadth — nine tools — signals this isn't a quirk of one poorly tuned model. It's a structural property of how LLMs handle uncertainty.\n\n## The specific risk for AI-assisted creative workflows\n\nFor AI-art creators, the immediate exposure isn't in image generation itself — it's in the surrounding toolchain. Workflows built around Stable Diffusion, ComfyUI, automatic1111, or custom ControlNet pipelines often require installing Python packages, extensions, and nodes. When creators hit a setup problem and ask an AI coding assistant for help, they're squarely in HalluSquatting territory.\n\nA creator troubleshooting a ComfyUI custom node or trying to install a new LoRA training dependency via pip is exactly the user this attack targets. The AI assistant sounds authoritative. The package name looks legitimate. The install command is syntactically correct. The malware runs silently.\n\nThe same risk applies to anyone using AI tools to scaffold automation scripts for batch generation, API integrations, or model fine-tuning pipelines — all common in serious AI-art workflows.\n\n## Why the usual security advice falls short here\n\nStandard advice — keep software updated, don't download from unknown sources — doesn't map cleanly onto this threat. The source here is a trusted AI tool the user has chosen deliberately. The package repository (PyPI, npm) is the same one legitimate software uses. There's no obvious red flag at the moment of installation.\n\nThe only reliable defense is to verify every package name independently before running an install command: check the official documentation for the library, confirm the package exists on the repository before installing, and look at download counts and publication dates as a basic sanity check. A package with 12 downloads published last Tuesday is a warning sign regardless of how confidently an AI recommended it.\n\nThere is no model update that fully closes this gap. Hallucination is a probabilistic property of current LLM architectures, not a bug with a known patch. Anthropic, OpenAI, and others have made progress on reducing hallucination rates, but "reduced" is not "eliminated" — and attackers only need the model to be wrong once.\n\nFor creators building complex local pipelines, treating AI-generated install instructions as a starting point to verify rather than a final answer is now a practical security habit, not just theoretical caution.