The Sheffield Press

Technology

Hackers weaponize AI hallucinations to spread malware through supply chains

By Mike Shaw ·
Hackers weaponize AI hallucinations to spread malware through supply chains

Security researchers said a new attack class called HalluSquatting turned AI package hallucinations into a malware delivery channel, with hackers using false names surfaced by nine popular AI tools to help assemble massive botnets. The blind spot is simple and dangerous: when a coding assistant invents a package, repository, or resource name with confidence, an attacker can register that exact fake name first and push malicious code to anyone who follows the suggestion.

HalluSquatting exploits a failure mode that developers already know but often ignore in practice. AI coding assistants can generate nonexistent package names and other fabricated locations, then present them as if they were real. Once those names exist in a model response, attackers can pre-register them with malicious payloads and wait for users to install the attacker-controlled package instead of the intended one. That makes the model itself part of the supply chain, not just a helper sitting outside it.

The people most exposed are the ones who lean on AI for package lookup, dependency discovery, and code scaffolding without checking the underlying registry, repository ownership, or installation source. Organizations that let assistants suggest exact package names or commands to engineers, contractors, and automated build systems are especially vulnerable, because the attack turns a routine shortcut into a path for malware to enter production environments.

AI-generated illustration
AI-generated illustration

The same week, Palo Alto Networks’ Unit 42 described a closely related tactic called phantom squatting. In that scheme, attackers register web domains hallucinated by AI systems and use them to intercept traffic, then serve phishing pages or malware. Unit 42 described the technique as a significant software supply-chain risk, and later reporting tied the research to 13,229 malicious URLs on AI-hallucinated domains, with about 250,000 more unregistered domains still available for abuse.

The pattern is spreading beyond one trick. Security research in 2026 has already shown prompt injection, runtime credential theft, and agent framework exploitation as real-world attack surfaces, not theoretical ones. The practical shift for developers is immediate: stop treating model-generated package names, URLs, and install steps as trusted output. Verify them before use, because a hallucination can now be weaponized before anyone notices it exists.

technologyHackers