The news. On July 8, 2026, researchers posted Agentic Botnets, introducing adversarial hallucination squatting: an attacker samples the fake resource names a model is prone to invent, pre-registers those exact names, and hosts adversarial prompts there. The paper reports hallucinated-name rates up to 85% in repository-cloning scenarios and 100% in skill installation, and demonstrates remote tool execution and remote code execution against production LLM apps that carry terminal tools. Read the paper →
Picture an errand-runner you send into town to "grab the FastVec CLI from GitHub." There is no FastVec CLI — you half-remembered a name that sounds right. An honest runner comes back empty-handed. But a scammer has been standing on that corner for weeks, noticing that shoppers keep asking for the same handful of shops that were never there. So the scammer hangs a sign for exactly the shop you imagined, waits for your runner to walk in, and hands them a box of someone else's making. Your runner carries it home and opens it inside your house. The trap was never in the runner's route — it was in the fact that the runner will confidently walk into a store it invented. That runner is your coding agent, and the invented store is a hallucinated resource name.
An LLM asked to install a dependency, clone a repo, or load a skill does not look anything up — it pattern-completes a plausible identifier, exactly the way it can invent a citation that reads perfectly and cites nothing. Most of the time a made-up name simply 404s and the agent gives up. Adversarial hallucination squatting turns that dead end into an entry point: the attacker starts from trending topics, samples or estimates the model's distribution over likely hallucinated names, and pre-registers those exact names on the real registry the agent will reach for. When the agent hallucinates one and pulls it, the fetched resource is the attacker's — a README, a skill manifest, an install script full of promptware that steers the agent through whatever tools it holds.
| Attack family | What the attacker squats | Who supplies the wrong name | Model hallucination rate |
|---|---|---|---|
| Typosquatting | a typo of a real, popular package (reqeusts) | a human mistyping | n/a — human typo |
| Dependency confusion | an internal package name republished on a public registry | the resolver preferring the public copy | n/a — resolver picks the public copy |
| Adversarial hallucination squatting (this paper) | a name the model invents that never existed | the LLM hallucinating | up to 85% repo · 100% skill (this paper) |
What makes this scale is that the hallucinations are not random. Two agents on the same base model, handed the same trending task, tend to invent the same fake names — so the attacker does not need to register a universe of names, only the model's favorites. That is also why the paper stresses transferability: because the attack rides the model rather than any one app, a single squatted name can catch many applications that share that model and fetch path, which is what earns the "botnet" framing — untargeted, and scalable by construction.
Why one fake sign catches a crowd
Take the paper's repository-cloning result, where the model produces a non-existent repo name up to 85% of the time. Picture 1,000 agents, all built on the same base model, each told to clone a trending tool by name. About 850 of them propose a name that does not exist. The dangerous part is what they don't do: because they share one model, those 850 do not scatter across 850 different fakes — they pile onto the handful of most-probable hallucinations. Pre-register just the top few of those names and one squatted repo catches the bulk of the 850 — one sign, hundreds of wallets. (The 85% rate is from the paper; the 1,000-agent split and the convergence are an illustrative walk-through of why the attack scales rather than published figures.)
The defense that follows is structural, not a better speller. You cannot reliably teach a model to stop inventing names, and a blocklist of "known-bad" names is useless against names that do not exist yet. What works sits in the harness: allowlist what an agent may fetch at the input-filter layer so an unknown identifier is refused rather than resolved; treat every fetched repo or skill as untrusted content, not trusted code; and scope the agent's capabilities so that even a successful install cannot reach the terminal, the secrets, or the network it would need to do real damage. The squatted sign only pays off if the runner both walks in and is carrying your keys.
Goes deeper in: AI Agents → Tool Use & Function Calling → Tools as Attack Surface — the module step that frames install-by-name and skill-loading as an attack surface, not just a convenience.
Related explainers
- Camouflage Injection — domain vocabulary bypasses injection detectors — the same lesson at the input boundary: pattern-matching defenses fail against payloads that wear the right disguise
- kNNGuard — activation-space guardrails — a defense that inspects what the model is doing, not the surface string it emits
- CodeSpear — constrained decoding vs jailbreaks — another attack that rides the model's own generation, and a structural (not detection-based) way to blunt it