
TL;DR
A July 2026 paper shows how hallucinated repository and skill names can become promptware delivery paths. The practical fix is boring: search before fetch, verify names, and sandbox every install.
HalluSquatting is the agent-security story that looks like a clever prompt-injection paper until you map it onto a normal developer workflow.
A coding agent sees a popular repo, package, skill, MCP server, or tool name. It needs to clone or install something. The model guesses the identifier instead of resolving it through search. An attacker has already registered the plausible wrong name and placed hostile instructions inside the resource. The agent fetches it, reads it, and now the attacker has a context channel into a tool-using system with a terminal.
That is the important shift. This is not only "LLMs hallucinate package names." We already covered that older slopsquatting pattern in Securing AI Coding Agents. HalluSquatting turns hallucinated resource names into a pull-based promptware delivery mechanism for agents that can fetch, clone, install, and execute.
Last updated: July 18, 2026. Google Trends was checked in the US over the past three months for Claude Code, AI coding agent, HalluSquatting, AI agent security, and promptware. Exact HalluSquatting and promptware interest was effectively zero, while broader durable demand sat around Claude Code at 62.1, AI coding agent at 4.0, and AI agent security at 2.8. That makes this a search-intent post about agent security, not a launch-chatter post about a paper title.
The primary source is the July 2026 arXiv paper Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting, with a public project page from researchers at Tel Aviv University, Technion, and Intuit.
The threat model is simple:
The researchers report high hallucination rates in repository-cloning and skill-installation scenarios, and they argue that the hallucinated names can transfer across models and application layers. Their project page says the tested applications included AI coding assistants and CLIs with integrated terminals, including Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline, Gemini CLI, OpenClaw, ZeroClaw, and NanoClaw.
That list will get attention. The more useful lesson is broader: any agent runtime that turns a natural-language resource request into a fetch, clone, install, or execute step has a name-resolution boundary.
If that boundary is fuzzy, prompt injection can enter through the supply chain.
Autocomplete gives you a suggestion. An agent creates a plan and acts on it.
That distinction matters because HalluSquatting attacks the handoff between language and resource identity. Humans often write shorthand:
Clone the new repo for the benchmark.
Install the skill from that paper.
Try the package everyone is using in the HN thread.
Add the MCP server for this SaaS.
Those are normal prompts. They are also underspecified.
A cautious human opens the source, copies the exact URL, checks the owner, and reviews the README. A coding agent may infer the missing identifier. If the inferred name is wrong but plausible, the failure no longer looks like a hallucination. It looks like normal automation.
That is why HalluSquatting belongs beside approval fatigue, agent sandboxes, and Dockerless verification. The failure is not that the model generated bad text. The failure is that the system let unverified text become an executable resource.
Newsletter
Get the weekly deep dive
Tutorials on Claude Code, AI agents, and dev tools, delivered free every week.
From the archive
Jul 18, 2026 • 8 min read
Jul 18, 2026 • 7 min read
Jul 18, 2026 • 6 min read
Jul 18, 2026 • 6 min read
The paper's mitigation section points to the right default: force a search or resolution step before any fetch operation.
For coding agents, that should become a product invariant:
Natural-language resource name
-> search or registry lookup
-> ranked canonical candidates
-> owner, age, stars, package metadata, and source URL check
-> explicit selected identifier
-> clone, install, fetch, or execute
The agent should not be allowed to jump from "clone the trending repo" to git clone some/plausible-name.
This is the same reason package managers, browsers, and deployment systems have spent years turning names into verified artifacts. Humans are bad at names. Models are worse at names. Security-sensitive systems need resolution, not vibes.
If you run agents locally, in CI, or inside an internal developer platform, HalluSquatting suggests five concrete controls.
Do not classify these as normal shell commands. They cross a trust boundary.
Your permissions layer should distinguish:
The final four deserve stricter policy than ls, rg, or editing a test file.
Natural language can begin the flow, but it should not finish it.
For GitHub, resolve to owner/repo from search results or an exact URL. For packages, resolve through the package registry. For skills and plugins, resolve through a signed or curated registry where possible. For MCP servers, prefer a known package, pinned commit, or internal allowlist over arbitrary instructions copied from a page.
This is especially important for fresh, trending resources. The researchers explicitly call out newly popular resources as attractive because models are less likely to have stable identifiers for them.
Before an agent installs a new dependency or clones a new repo, check signals that are cheap to automate:
None of these proves safety. Together they catch the embarrassing cases where the model invented a resource and the system treated it as real.
Even with name checks, assume one bad resource eventually gets through.
That means the fetch path needs the same containment we already recommend for agent execution: filesystem boundaries, network allowlists, read-only access to sensitive files, and deny rules for implicit execution paths such as .git/hooks, shell profiles, editor task files, and CI configuration.
If a cloned repo can immediately influence the host environment, the agent does not have a sandbox. It has a polite request system.
Every agent run that fetches an external resource should leave a receipt:
This is not bureaucracy. It is how a reviewer answers "why did the agent install this?" two days later.
We have been making the same argument in posts about long-running agent harnesses and agent receipts: the important artifact is not just the final diff. It is the chain of evidence that produced it.
There is a temptation to turn every agent-security paper into "all coding assistants are malware now." That is not the useful read.
The paper describes a serious class of attack, but the public project page also says the researchers responsibly disclosed findings and redacted implementation details that would directly help attackers. The right conclusion is not panic. It is product design.
The unsafe claims to avoid:
The safer conclusion:
Agents need deterministic resource resolution before retrieval, containment during retrieval, and receipts after retrieval.
That is a boring sentence. Boring is the point.
For personal use, the policy can be lightweight:
git clone, package installs, curl-to-shell patterns, MCP installs, and skill installs.For teams, make it a platform rule:
No inferred external resource may be fetched or installed without a resolver receipt.
That one policy covers GitHub repos, npm packages, Python packages, MCP servers, agent skills, browser extensions, and internal tool catalogs. It also gives reviewers a concrete thing to check.
If your current agent harness cannot produce that receipt, the next sprint is not about adding another model. It is about adding a resolver.
HalluSquatting is an attack pattern where an adversary registers resource names that LLMs are likely to hallucinate, then uses those fake resources to deliver adversarial prompt content to agents that fetch, clone, install, or execute external resources.
They are related but not identical. Slopsquatting usually refers to hallucinated package names in software supply chains. HalluSquatting generalizes the idea to agentic resource retrieval, including repositories, skills, and other resources that a tool-using LLM might fetch.
No. It means agents should resolve names through search or registry lookup before retrieval, record the evidence, and run the retrieval path inside a sandbox. Network access is not the problem by itself. Unverified resource identity is the problem.
Require exact URLs or registry-resolved identifiers for new external resources, then gate git clone, package installs, MCP installs, and skill installs behind approval plus sandboxing. Add dependency cooldowns and lockfile-only CI so a bad install cannot silently become a production change.
HalluSquatting, AI agent security, AI coding agent, and Claude Code.Claude Code, AI coding agent, HalluSquatting, AI agent security, and promptware; exact HalluSquatting demand was not durable yet, so the article targets the broader agent-security cluster.Read next
AI agents are getting their own computers. Here is how to choose a sandbox architecture: filesystem isolation, network policy, secrets boundaries, snapshots, and when shell access is overkill.
8 min readManual approval prompts stop protecting users when coding agents ask too often. The better pattern is risk-aware autonomy: safe defaults, narrow deny rules, and approvals only for meaningful changes.
7 min readByteDance's Dockerless paper asks whether coding-agent patches can be verified without spinning up per-repo environments. The practical answer is not replace CI. It is use cheaper evidence before CI.
8 min readTechnical content at the intersection of AI and development. Building with AI agents, Claude Code, and modern dev tools - then showing you exactly how it works.
Mac app for running parallel Claude Code, Codex, and Cursor agents in isolated workspaces. Watch every agent work at onc...
View ToolAnthropic's agentic coding CLI. Runs in your terminal, edits files autonomously, spawns sub-agents, and maintains memory...
View ToolCodeium's AI-native IDE. Cascade agent mode handles multi-file edits autonomously. Free tier with generous limits. Stron...
View ToolAI-native code editor forked from VS Code. Composer mode rewrites multiple files at once. Tab autocomplete predicts your...
View ToolEvery coding agent in one window. Stop alt-tabbing between Claude, Codex, and Cursor.
View AppCompare AI coding agents on reproducible tasks with scored, shareable runs.
View AppScore every coding agent on your own tasks. Catch regressions in CI.
View AppConfigure Claude Code for maximum productivity -- CLAUDE.md, sub-agents, MCP servers, and autonomous workflows.
AI AgentsA complete, citation-backed Claude Code course with setup, prompting systems, MCP, CI, security, cost controls, and capstone workflows.
ai-developmentDeep comparison of the top AI agent frameworks - LangGraph, CrewAI, Mastra, CopilotKit, AutoGen, and Claude Code.
AI Agents
Open Design: Open-Source n8n App That Turns Any Website into a Brand Kit, Design System, HTML + Images The video introduces Open Design, an MIT-licensed full-stack template that combines AI and n8n a

Leveraging Anthropic's Subagent for Claude Code: A Step-by-Step Guide In this video, we explore Anthropic's newly released subagent feature for Cloud Code, which allows developers to create...

Claude Code Review: Next-Level AI-Assisted Coding In this video, I share my insights after using Claude Code for 30 days. Discover why I believe Claude Code is one of the best AI coding agents...

AI agents are getting their own computers. Here is how to choose a sandbox architecture: filesystem isolation, network p...

Manual approval prompts stop protecting users when coding agents ask too often. The better pattern is risk-aware autonom...

ByteDance's Dockerless paper asks whether coding-agent patches can be verified without spinning up per-repo environments...

A long-running coding agent is only useful if the environment around it can queue tasks, capture logs, checkpoint state,...

Autocomplete wrote the line. Agents write the pull request. The shift from Copilot to Claude Code, Cursor Agent, and Dev...

A Microsoft field study found that CLI coding-agent adoption spreads through peers and managers, while adopters merged r...

New tutorials, open-source projects, and deep dives on coding agents - delivered weekly.