Hackers Can Use 9 of the Most Popular AI Tools to Assemble Massive Botnets
Researchers discovered that nine widely used AI tools can be tricked into assembling massive botnets through a technique called "HalluSquatting." This vulnerability exploits AI models' tendency to hallucinate — generating plausible but incorrect responses — instead of refusing harmful requests. The finding underscores a critical security flaw in how AI handles ambiguous or malicious prompts.

Researchers have uncovered a significant security vulnerability affecting nine of the most popular AI tools, including ChatGPT, Claude, Gemini, Copilot, Grok, DeepSeek, Qwen, Llama, and Mistral. The attack, dubbed "HalluSquatting," weaponizes a well-known weakness of large language models (LLMs): their inability to say "I don't know." Instead of refusing when asked for nonexistent software packages, libraries, or APIs, these models often hallucinate — generating plausible-sounding but entirely fabricated names and download links.
Hackers can exploit this by first identifying hallucinated package names that the AI consistently produces. They then register those names on legitimate package repositories (like PyPI or npm) and upload malicious code disguised as the hallucinated package. When users or automated systems follow the AI's recommendation and install the fake package, their devices become part of a botnet controlled by the attacker.
The researchers demonstrated the attack across all nine tools, showing that each could be reliably tricked into suggesting malicious packages. The attack is particularly dangerous because it doesn't require compromising the AI service itself — it simply exploits the model's natural tendency to hallucinate. This makes it a low-effort, high-impact vector for assembling large botnets.
To protect yourself, be cautious when an AI tool recommends installing a software package you haven't heard of. Verify the package's existence and legitimacy through official sources before downloading. Avoid using AI-generated code or commands that involve installing third-party libraries without manual review. For developers, consider using tools that cross-reference AI suggestions against known package registries to flag potential hallucinations.