Researchers have identified a new attack vector exploiting how AI coding assistants generate fictitious package names, then suggest installing them as real dependencies.

The technique, termed HalluSquatting, works by identifying hallucinated package names that AI models reliably produce when asked to fetch tools or libraries. Attackers register these non-existent packages on public repositories like PyPI or npm, then wait for coding assistants to recommend them to developers. When users follow the AI suggestion and install the booby-trapped package, attackers gain execution on developer machines.

The attack targets a fundamental weakness in large language models. GPT and similar systems frequently confabulate plausible-sounding project names when asked to locate packages, especially for niche tools or libraries. An AI assistant asked to fetch a monitoring solution might invent names like "OptimizeMonitor" or "CloudWatcher" that sound legitimate but never existed.

Once attackers map which fake names a given AI model hallucinates consistently, they register those packages on official repositories before legitimate projects can claim them. The researchers demonstrated successful injection of botnet malware into packages that GPT-4 proposed to users.

The risk extends beyond individual developers. Supply chain attacks through compromised dependencies affect entire organizations relying on those packages. A single installation can introduce persistent backdoors, credential stealers, or botnet agents into corporate development environments.

Detection remains difficult because the malicious packages appear legitimate at first glance. They have real-looking descriptions, match the names AI suggested, and sit on trusted repositories. Developers following AI recommendations trust the assistant's authority.

Mitigation requires multiple layers. Organizations should restrict dependency installation to vetted, manually approved packages and audit AI-generated recommendations before execution. Repository maintainers can implement stronger verification processes for new package submissions. AI vendors should improve hallucination detection and flag uncertain suggestions clearly.

The