New threat: how networks themselves download viruses for their mistakes

7/10/2026, 10:26 AMЕвгения Слив

Researchers from Tel Aviv University, Technion, and Intuit have identified a fundamentally new class of cyberattacks targeting autonomous AI agents. The attack, named Adversarial HalluSquatting, exploits a well-known flaw in large language models—their tendency to hallucinate and invent non-existent identifiers for external resources. Attackers monitor which fake repository addresses or skill names a specific neural network frequently generates, and then simply register these names on platforms like GitHub or ClawHub. By placing malicious code or instructions in these seemingly legitimate resources, hackers create a perfect trap. When the AI agent later tries to clone a repository or install a skill and accidentally "remembers" that exact fabricated address, it independently downloads and executes the attacker's payload, effectively turning the user's computer into a botnet node without any direct phishing.

The scale of the vulnerability is staggering, as confirmed by extensive testing involving over fourteen thousand runs across various popular AI coding assistants, including Cursor, Windsurf, GitHub Copilot, and OpenClaw. Experiments showed that when attempting to clone trending repositories, models hallucinated incorrect addresses in over ninety percent of cases. In real-world scenarios, the end-to-end attack successfully compromised systems in sixty-five percent of runs, depending on the application and the underlying model. The most alarming aspect is the scalability of this method: unlike traditional targeted attacks, a hacker does not need to send a malicious link to a specific victim. It is enough to publish a poisoned resource in a public space and wait for AI agents around the world to independently discover and execute it, leading to mass infections.

Despite the critical nature of the discovered vulnerability, the reaction of major technology corporations has been surprisingly dismissive. GitHub stated that registering available names is expected platform behavior, completely shifting the blame to the AI models themselves and the agents that trust third-party code. Similarly, OpenAI, Anthropic, and Cursor refused to classify this issue as a vulnerability within their bug bounty programs, arguing that the root cause lies in model hallucinations or dependency confusion attacks. Researchers propose mitigations such as mandatory web searches before downloading resources and proactive name reservation by the platforms themselves, but the lack of vendor cooperation leaves millions of users at risk. This incident perfectly illustrates the growing trend warned about by Google Threat Intelligence: cybercriminals are increasingly using artificial intelligence not just as an auxiliary tool, but as a direct vector for deploying highly sophisticated malware.

Popular news