Papers
Topics
Authors
Recent
Search
2000 character limit reached

Adversarial HalluSquatting Attacks

Updated 9 July 2026
  • The paper establishes that adversarial HalluSquatting exploits LLM hallucinations to hijack resource identifiers, leading to remote code execution and botnet-style infections.
  • The attack pipeline uses a six-stage process—from preparation and hallucination to retrieval and execution—demonstrating predictable and transferable squatting patterns across models.
  • Empirical analysis shows high hallucination rates (up to 92.4% for trending repositories) and successful exploitation across various tools and platforms, raising pressing security concerns.

to=arxiv_search.search 微信公众号天天中彩票 大发快三豹子on 2(Spira et al., 8 Jul 2026) OR title:\2^ րոպե code պարզ {"2query2 OR title:\2"Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting\"","max_results":5,"sort_by":"submittedDate"} to=arxiv_search.search 大发彩票官网 to=arxiv_search.search _色രം code պարզ {"2query2 OR title:\2query2} to=arxiv_search.search 天天中彩票如何on code պարզ {"2query2 hallucination squatting", "max_results": 2(Spira et al., 8 Jul 2026) OR title:\2query2, "sort_by": "relevance"} Adversarial hallucination squatting denotes a class of attacks in which an adversary exploits the tendency of LLMs and agentic LLM applications to hallucinate resource identifiers—such as GitHub repository slugs, marketplace skill slugs, package names, URLs, endpoints, or API references—and then preemptively registers, hijacks, or impersonates those identifiers so that ordinary model-assisted retrieval resolves to attacker-controlled content. In the formulation introduced as adversarial HalluSquatting, the attack amplifies untargeted promptware under weak threat models because the adversary does not need direct contact with the victim; instead, the victim agent pulls a hallucinated external resource from the Internet and may then execute embedded instructions or tools (&&&2query2&&&). Closely related work places the same phenomenon within software supply-chain compromise: models can act as malicious code recommenders, emit hallucinated endpoints, or recommend non-existent packages that later become slopsquatting targets (Noever et al., 2024, Spracklen et al., 1 May 2026).

Adversarial HalluSquatting is defined as a promptware delivery technique in which the attacker exploits hallucinated identifiers and squats them in advance. The attacker is assumed to be weak but realistic: they can identify popular or trending resources on public platforms and register public resources such as GitHub repositories or ClawHub skills, but they do not need access to the victim, a direct prompt-injection channel, control over the victim application, or compromise of the original resource. The victim is any agentic LLM application that retrieves external resources from the Internet, uses an LLM to plan actions, and can execute tools such as shell, terminal, file I/O, or web search (&&&2query2&&&).

This formulation is explicitly distinguished from several adjacent attack classes. Direct prompt injection assumes that the attacker is the user and directly supplies malicious prompts. Indirect prompt injection hides malicious instructions in ingested content. Promptware is content engineered to behave like malware by causing the agent to act maliciously. Adversarial HalluSquatting differs in that it works in weak threat models, does not need direct victim contact, targets the LLM application at inference time rather than only downstream code artifacts, and can be universal and transferable across models and applications. The most consequential outcome is remote code execution and eventual botnet-style behavior, summarized in the paper as a one-to-many infection pattern, “2(Spira et al., 8 Jul 2026) OR title:\2^ compromised resource → n compromised machines” (&&&2query2&&&).

The broader significance is that hallucination is no longer merely a correctness failure. In this setting, hallucinated identifier resolution becomes a remote attack vector whenever an agent resolves natural-language requests into external resources, trusts the resulting content, and can execute tools. A plausible implication is that the attack surface scales with the deployment of tool-using agents, not merely with the number of end users.

2. Attack construction and operational mechanics

The attack pipeline described for adversarial HalluSquatting has six conceptual stages: preparation, trigger, planning, hallucination, retrieval, and context poisoning or execution. In preparation, the attacker identifies trending resources, probes an LLM or target application with prompts designed to elicit hallucinated resource identifiers, builds a distribution over hallucinated outputs, chooses a universal squatting candidate, and registers it with embedded promptware. The trigger is an ordinary user request such as clone repo name or install skill name. During planning, the agentic framework uses an LLM to decide how to fulfill the request. If the model hallucinates an incorrect identifier, the application fetches the attacker-controlled resource instead of the intended one, and the fetched content can inject instructions into the agent context, leading to remote tool execution or remote code execution (&&&2query2&&&).

For repository squatting, the core probing prompt is essentially print a shell command to clone <repo>. For skills, the probing prompt is install <display-name>. The paper’s appendix gives an empirical hallucination-distribution estimator, PRESERVED_PLACEHOLDER_2query2, which queries a model PRESERVED_PLACEHOLDER_2(Spira et al., 8 Jul 2026) OR title:\2^ times, counts each candidate, and normalizes by

Dist[c]=Counts[c]K.\mathsf{Dist}[c] = \frac{\mathsf{Counts}[c]}{K}.

To identify cross-model squat candidates, it defines a consensus score

s(c)=mM:cDist[m]Dist[m][c]M,s(c)=\sum_{m \in \mathcal{M}: c \in \mathsf{Dist}[m]} \frac{\mathsf{Dist}[m][c]}{|\mathcal{M}|},

which ranks identifiers by averaged support across models. Candidates that appear consistently across many models rank highest, and model-specific overfitting is reduced by equal normalization over M|\mathcal{M}| (&&&2query2&&&).

A notable feature is the “zero-probing attack.” For newly trending repositories, the attacker can simply squat repo-name/repo-name, relying on the self-referential hallucination pattern without probing any model. This mechanism reflects the paper’s claim that hallucination patterns are predictable and transferable across Gemini, GPT, and Claude families, and that a universal squatting candidate often exists for a trending resource (&&&2query2&&&).

3. Repository cloning, skill installation, and observed transferability

The repository study evaluates 2(Spira et al., 8 Jul 2026) OR title:\25 repositories in the main cross-model setting: 2(Spira et al., 8 Jul 2026) OR title:\2query2^ recent or trending 22query225 repositories and 5 old established repositories, plus librepods as a case study or cross-application target. Six foundation models are queried directly via API—gemini-2.5-flash, gemini-2.5-pro, gpt-5.2(Spira et al., 8 Jul 2026) OR title:\2, gpt-5.2, sonnet-4.5, and opus-4.5—with 2(Spira et al., 8 Jul 2026) OR title:\2query2query2^ queries per (repo, model) pair, yielding 92query2query2query2^ queries on the 2(Spira et al., 8 Jul 2026) OR title:\25-repository set plus 62query2query2^ queries on librepods. Each resulting slug is labeled as correct, squattable, wrong owner, wrong repository, or placeholder emission (&&&2query2&&&).

Three repository hallucination patterns are identified. The first is self-referential hallucination, repo-name/repo-name\text{repo-name}/\text{repo-name}, exemplified by librepods/librepods; the paper describes this as the most exploitable pattern because the owner often does not exist and is trivially predictable. The second is existing-owner attribution, where the model outputs a real GitHub owner unrelated to the target. The third is placeholder emission, such as username/librepods or <owner>/archon, which may be malformed or non-executable but still indicates failure to resolve correctly. Quantitatively, recent or trending repositories exhibit a mean hallucination rate of 92.4%, whereas old repositories exhibit 2query2.9%. The table summarized in the paper reports that 53 of 62query2^ recent (repo, model) combinations are at 2(Spira et al., 8 Jul 2026) OR title:\2query2query2% hallucination. Across 62query2query2query2^ queries on recent repositories, models emit a directly squattable slug in 27% of runs, corresponding to 2(Spira et al., 8 Jul 2026) OR title:\2query2query22^ total squattable outputs. For all 2(Spira et al., 8 Jul 2026) OR title:\2query2^ trending repositories studied, at least one registrable candidate appears in the top 2(Spira et al., 8 Jul 2026) OR title:\2query2^ universal scores. Reported examples include pageindex/pageindex at 35.2%, deeptutor/deeptutor at 34.6%, antigravity-manager/antigravity-manager at 33.2(Spira et al., 8 Jul 2026) OR title:\2%, bytedance/ui-tars-desktop at 33.2query2%, openbmb/voxcpm at 26.4%, and oh-my-opencode/oh-my-opencode at 23.9% (&&&2query2&&&).

Production applications are also tested. Gemini CLI produces a valid slug in 57% of runs, and 82% of those valid-slug runs are hallucinated; in the table cited, this is 287 valid-slug runs out of 52query2query2, of which 235 are hallucinated. Cursor CLI shows lower hallucination for some models because it more often invokes search. The paper distinguishes search-aided resolution, aggressive self-verification, and search avoidance, and reports a particularly strong mitigation effect from web search: with web search, 93.4% of runs are correct; without web search, 99.2(Spira et al., 8 Jul 2026) OR title:\2% are hallucinated. Prompt framing materially affects whether the assistant invokes search. Imperative, indirect, question, and generative prompts produce different behavior across model families, and the paper concludes that there is no universally safe phrasing (&&&2query2&&&).

End-to-end repository squatting is demonstrated against Cursor, Cursor CLI, Gemini CLI, Windsurf, Copilot Chat, and Cline. Two promptware payload classes are used: an RCE payload disguised as a benign setup verification tool that walks the filesystem, collects .env files, and exfiltrates them via curl; and a tool-invocation payload that uses assistant-specific project-rule files—.cursor/rules/, .windsurfrules, .clinerules, and .github/copilot-instructions.md—as well as README instructions to induce exfiltration of conversation context. Reported RCE success rates from Table 2(Spira et al., 8 Jul 2026) OR title:\2^ are 25% for Cursor, 32query2% for Cursor CLI, 22query2–35% for Gemini CLI, 65% for Windsurf, 35% for Copilot Chat, and 45% for Cline. For OpenClaw, ZeroClaw, and NanoClaw, tool invocation is often 82query22(Spira et al., 8 Jul 2026) OR title:\2query2query2% and RCE is 42query22(Spira et al., 8 Jul 2026) OR title:\2query2query2%, depending on configuration (&&&2query2&&&).

The skill-squatting extension targets the OpenClaw ecosystem and the ClawHub marketplace. Skills expose a display name, a unique slug, and install metadata in SKILL.md. Two vulnerability classes are identified. V2(Spira et al., 8 Jul 2026) OR title:\2^ is word removal, especially dropping the word “skill,” as in resolving skill-vetter to vetter. V2 is display-name or slug divergence, exemplified by a display name “Baidu Wenku AIPPT” and slug ai-ppt-generator. A strong sub-case arises when the legitimate skill is documented primarily in Chinese and an English 2query2^ fails to retrieve it from ClawHub search. The experimental setup uses 2(Spira et al., 8 Jul 2026) OR title:\24 skills total, split into 7 V2(Spira et al., 8 Jul 2026) OR title:\2^ skills and 7 V2 skills, with 2(Spira et al., 8 Jul 2026) OR title:\2query2^ trials per (assistant, model, skill) combination and the prompt template install <display-name>. In the cross-model transfer experiment for skill-vetter, there are 2query2^ correct installs out of 42query2, three of four backbones produce vetter in 2(Spira et al., 8 Jul 2026) OR title:\2query2^ of 2(Spira et al., 8 Jul 2026) OR title:\2query2^ trials, and Opus produces vetter in 8 of 2(Spira et al., 8 Jul 2026) OR title:\2query2^ trials, leading the paper to conclude that a single squat target intercepts 95% of install attempts on average across four backbones. Across 2(Spira et al., 8 Jul 2026) OR title:\2sort_by2query2^ trials on 2(Spira et al., 8 Jul 2026) OR title:\24 skills, 2(Spira et al., 8 Jul 2026) OR title:\227 of 2(Spira et al., 8 Jul 2026) OR title:\2sort_by2query2, or 92query2.7%, are squattable and 2(Spira et al., 8 Jul 2026) OR title:\23 of 2(Spira et al., 8 Jul 2026) OR title:\2sort_by2query2, or 9.3%, are correct. Across 92query2^ trials with OpenClaw, ZeroClaw, and NanoClaw, 85 of 92query2, or 94.4%, are squattable. Once a squatted skill is installed, context exfiltration succeeds in 2(Spira et al., 8 Jul 2026) OR title:\2query2query2% of cases and reverse shell succeeds in 88% overall (&&&2query2&&&).

4. Precedents in AI-assisted development and software supply chains

Earlier work on AI-assisted development frames the same general phenomenon as an attack on the AI-assisted development pipeline. In that account, LLMs can be induced to act as malicious code recommenders: when a prompt is framed as a benign programming task, the model may bypass ordinary refusal behavior and hallucinate or recommend real, compromised, or attacker-controlled resources that a user can then copy directly into code. The ontology-style formulation describes a threat actor AA exploiting a source BB to provide programming patterns CC that the foundational model would otherwise not provide, effectively placing the LLM itself in the recommendation layer of the attack chain (Noever et al., 2024).

A central enabling mechanism in that work is context shifting. Direct requests for ransomware, phishing code, or fake login pages often trigger refusal, but the same request, reframed as a programming or debugging task, may be treated as admissible. The paper’s concrete examples span GitHub, NPM, NuGet, PyPI, RubyGems, Cargo, Yarn, and CDNs such as jsDelivr. Specific examples include a chatgpt-api clone on GitHub, NPM packages @realty-front/codegen and radar-cms, the Python package fatnoob, the Ruby gem atlas-client, the Rust crate xrvrv, iframe-based domains including allahabadbank.com, nuke.pe.hu, and stresser.ru, and a hallucinated API endpoint https://api-illustrate.com/ in a FastAPI OCR example. The argument is explicit that the risk is not limited to fake resources: a real but compromised resource recommended by the model can produce the same operational effect. The paper describes this as a hybrid of context-shifting jailbreaks and “living off the land” techniques, with the novelty that the LLM can “hijack otherwise innocent user prompts” into unsafe operational advice (Noever et al., 2024).

A later post-deployment defense paper isolates package hallucination in code generation as a critical supply-chain vulnerability. Its threat model is a classic slopsquatting or package-confusion chain: a code-generating LLM hallucinates a non-existent package name, an attacker registers that fabricated package on a public registry such as PyPI, developers or autonomous agents trust the model and install it, and the malicious package executes in the victim environment. The proposed Adaptive Unlearning framework addresses this behavior by combining an adaptive discovery loop with a tri-masked hybrid objective that reinforces valid package tokens, suppresses hallucinated package tokens, and regularizes the rest of the context. On DeepSeek-Coder-7B-Instruct-v2(Spira et al., 8 Jul 2026) OR title:\2.5, hallucination rate drops from 22(Spira et al., 8 Jul 2026) OR title:\2.23% to 2.56%; on DeepSeek-Coder-V2-Lite-Instruct, it drops from 27.75% to 6.2(Spira et al., 8 Jul 2026) OR title:\23%. The abstract summarizes the practical effect as an 82(Spira et al., 8 Jul 2026) OR title:\2% reduction in package hallucination rate, corresponding to a substantial reduction in slopsquatting attack surface, while preserving standard coding-benchmark performance (Spracklen et al., 1 May 2026).

Taken together, these works show two related but distinct attack surfaces. In AI-assisted development, the model may recommend dangerous code resources for a human or agent to copy. In adversarial HalluSquatting, the agent itself fetches the hallucinated resource and ingests promptware from it. This suggests a progression from downstream artifact poisoning toward direct inference-time compromise of tool-using agents.

5. Mechanistic analogues and adjacent formulations

Research outside repositories and package managers studies adversarial hallucination through internal generation dynamics, persona memory, and cross-modal reliability theory. In multimodal LLMs, one line of work introduces an adversarial hallucination attack that exploits attention sink behavior to trigger false visual facts with minimal image-text relevance. The method identifies a dynamic sink token in the current generation, optimizes a localized attention loss

Lattn(xv,xt)=CE(A(l),idx),\mathcal{L}_{\rm attn}(x^v, x^t) = CE(A'^{(l)}, {\rm idx}),

and an embedding loss

PRESERVED_PLACEHOLDER_2(Spira et al., 8 Jul 2026) OR title:\2query2^

under the perturbation constraint PRESERVED_PLACEHOLDER_2(Spira et al., 8 Jul 2026) OR title:\2(Spira et al., 8 Jul 2026) OR title:\2. The attack runs for PRESERVED_PLACEHOLDER_2(Spira et al., 8 Jul 2026) OR title:\22^ iterations with learning rate PRESERVED_PLACEHOLDER_2(Spira et al., 8 Jul 2026) OR title:\23, PRESERVED_PLACEHOLDER_2(Spira et al., 8 Jul 2026) OR title:\24, and PRESERVED_PLACEHOLDER_2(Spira et al., 8 Jul 2026) OR title:\25. Reported white-box image-captioning results include up to 75.74% HWR on LLaVA-2(Spira et al., 8 Jul 2026) OR title:\2.5, 72query2.84% on InstructBLIP, 67.97% on MiniGPT-4, and 59.2(Spira et al., 8 Jul 2026) OR title:\2(Spira et al., 8 Jul 2026) OR title:\2% on Shikra; on OK-VQA, accuracy is reduced by up to 7.67%. Transfer also reaches commercial APIs, increasing hallucination word rate by 3.42query2% on GPT-4o mini and 5.32% on Gemini 2(Spira et al., 8 Jul 2026) OR title:\2.5 Flash (&&&2(Spira et al., 8 Jul 2026) OR title:\28&&&).

This multimodal work is relevant because it describes a form of adversarial occupancy of an internal control structure. The paper states that, if the term “adversarial hallucination squatting” is used to mean an attacker deliberately occupying the model’s internal generation pathway, especially attention sinks, then the attack is a direct realization of that concept. The attacker identifies the token that will become the sink, shapes it to absorb misleading global context, and exploits it to steer later tokens into hallucination. This suggests an internal-mechanism analogue of identifier squatting: in one case the attacker occupies an external name; in the other, a privileged internal generation role (&&&2(Spira et al., 8 Jul 2026) OR title:\28&&&).

A second adjacent line of work concerns persona memory. Synthius-Mem argues that long-term memory systems should not only answer supported questions accurately but also refuse false-premise questions about facts the user never disclosed. It stores only attested persona facts across six typed domains—biography, experiences, preferences, social circle, work, and psychometrics—and retrieves them through CategoryRAG at 22(Spira et al., 8 Jul 2026) OR title:\2.79 ms mean latency. On LoCoMo, with 2(Spira et al., 8 Jul 2026) OR title:\2query2^ conversations, 22query2^ participants, and 2(Spira et al., 8 Jul 2026) OR title:\2,82(Spira et al., 8 Jul 2026) OR title:\23 questions, it reports 94.37% memory accuracy, 98.64% core memory fact accuracy, 94.42query2% temporal precision, 78.26% open inference, 57.66% peripheral detail, and 99.55% adversarial robustness. Of the 442 false-premise questions, only 2 are answered incorrectly. The paper explicitly identifies false-premise questions as a natural attack surface for “memory squatting” style failures and treats absence of evidence as grounds for refusal rather than fabrication (&&&22query2&&&).

A third line proposes a unified geometric account of adversarial fragility and LLM hallucination. Under the Neural Uncertainty Principle, input and input-gradient are treated as a conjugate pair, and the practical diagnostic is the Conjugate Correlation Probe, computable with a single backward pass. For LLMs, the prompt-side probe is

PRESERVED_PLACEHOLDER_2(Spira et al., 8 Jul 2026) OR title:\26

evaluated in the prefill stage only, before decoding. The paper interprets low prefill CC-Probe as weak prompt-conditioning or slack-dominated dynamics, hence higher hallucination risk, and uses the negative score as a decoding-free hallucination-risk signal for prompt selection (&&&22(Spira et al., 8 Jul 2026) OR title:\2&&&).

Mitigation work in vision-LLMs complements these attack analyses. ALEAHallu follows an Activate–Locate–Edit Adversarially paradigm: it constructs an activation dataset of grounded and hallucinatory response pairs, identifies hallucination-prone parameter clusters via hidden-state differences, and fine-tunes the second-layer MLP weight matrix in the selected layer using an adversarially tuned prefix. On 4,2query2query2query2^ MSCOCO images, the process yields 2,2query2query2(Spira et al., 8 Jul 2026) OR title:\2^ valid positive-negative pairs. For LLaVA-2(Spira et al., 8 Jul 2026) OR title:\2.5 image captioning, CHAIRPRESERVED_PLACEHOLDER_2(Spira et al., 8 Jul 2026) OR title:\27 drops from 56.4 to 39.3 and CHAIRPRESERVED_PLACEHOLDER_2(Spira et al., 8 Jul 2026) OR title:\28 from 2(Spira et al., 8 Jul 2026) OR title:\27.2 to 2(Spira et al., 8 Jul 2026) OR title:\22.2(Spira et al., 8 Jul 2026) OR title:\2, while Recall rises from 69.5 to 74.2. Attention paid to the image rises from 29.72(Spira et al., 8 Jul 2026) OR title:\2% to 33.72% after editing. This line of work is not framed as HalluSquatting, but it addresses the same underlying asymmetry identified in other papers: parametric bias and visual neglect can make fluent but unsupported outputs easy to induce unless the model is structurally edited toward grounded evidence (Hu et al., 26 Dec 2025).

6. Defenses, limitations, and research directions

The most direct mitigations proposed for adversarial HalluSquatting are application-side and platform-side. Application-side measures include enforcing a search-before-fetch workflow, using planner examples that encourage verification, inspecting fetch-related plans, requiring explicit search or resolution before cloning or installing, and improving prompt-injection defenses for fetched content. Platform-side measures include enforcing global uniqueness of names, or at least blocking reuse across owners, proactively reserving high-risk aliases or likely hallucinations, strengthening publish-time checks for near-squats, and identifying prompt injections in registered content. The paper especially emphasizes preemptive registration of likely hallucinated names as a defensive mirror of the attack, analogous to typosquatting defense but adapted to LLM hallucination patterns (&&&2query2&&&).

Adjacent papers recommend stronger context-sensitive safeguards and more robust blacklisting or vetting of recommended resources, as well as red-teaming and benchmarking that specifically targets code-assistance contexts rather than only direct harmful queries. In code generation, Adaptive Unlearning offers a post-deployment mitigation that operates entirely on model-generated data and does not require human annotation; in persona memory, typed storage of attested facts treats retrieval failure as a signal to abstain; in vision-LLMs, adversarial parameter editing aims to shift generation away from linguistic priors and toward visual evidence (Noever et al., 2024, Spracklen et al., 1 May 2026, &&&22query2&&&, Hu et al., 26 Dec 2025).

The literature also records important limitations. In the HalluSquatting study, ethical constraints meant that benign payloads were used on public platforms rather than real malicious payloads, so the experiments did not fully exercise malware scanners or platform defenses; the authors state that the reported results are likely a lower bound on true exposure. In the malicious code recommender study, some malicious behavior depends on the user actually copying or deploying the suggestion, some sites enforce security headers such as X-Frame-Options, and some packages or domains may be obviously suspicious to a careful reviewer. In the package-hallucination defense study, verification is string-level validity against a fixed PyPI snapshot, not semantic appropriateness in context, and experiments are Python-centric (&&&2query2&&&, Noever et al., 2024, Spracklen et al., 1 May 2026).

The main conceptual shift across these papers is the treatment of hallucination as a security primitive. In repository cloning, skill installation, package recommendation, endpoint generation, persona memory, and multimodal perception, unsupported outputs become exploitable when they name resources, facts, or latent control structures that an adversary can occupy. A plausible implication is that robust deployment requires moving beyond refusal-based safety toward verified retrieval, provenance enforcement, domain-structured memory, targeted unlearning, and pre-generation risk signals. In that sense, adversarial hallucination squatting names both a concrete attack family and a broader reliability problem: whenever a model confidently fills in missing identifiers or facts, an attacker may be able to supply the missing world state.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Adversarial Hallucination Squatting.