Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | How HalluSquatting Could Fuel Agentic Botnets
Jul 10, 2026
9 Mins Read
Moon

How HalluSquatting Could Fuel Agentic Botnets

AI agents can make software development and automation faster, but they can also introduce a new supply chain risk. HalluSquatting, also known as adversarial hallucination squatting, abuses an AI model’s tendency to invent plausible resource names, such as repositories, plugins, packages, or agent skills.

The risk becomes more serious when an AI agent can fetch resources, install tools, or run commands. If the agent acts on a hallucinated identifier, it may retrieve attacker-controlled content instead of the intended resource. Recent research connects this behavior to agentic botnet scenarios, where one squatted resource could be retrieved across many environments if agents share similar hallucination patterns and permissive tool access.

What Is HalluSquatting?

HalluSquatting is a technique where an attacker registers a resource name that a large language model (LLM) is likely to hallucinate. When an AI agent later tries to fetch that invented resource, it may retrieve attacker-controlled content instead of the intended project, plugin, package, or skill.

This resembles typosquatting, except the mistake comes from the model’s output instead of a user’s typing. Typosquatting depends on human errors, while HalluSquatting depends on plausible but incorrect names generated by an AI system.

The broader category is sometimes called hallucination exploitation, where attackers turn fabricated AI outputs into real malicious resources. Application Security Standards describes this as a software supply chain threat that exploits predictable AI-generated errors, including invented package names that attackers can register as real packages.

Why Does HalluSquatting Create Risk for AI Agents?

HalluSquatting becomes risky when an AI agent can act on a hallucinated resource name. A chatbot that only returns a wrong answer creates a reliability issue. An agent that can fetch, clone, install, or execute external resources can turn that hallucination into a security event.

The risk increases when agents have access to:

  • Terminals or shell tools
  • Package managers or installers
  • Repository cloning workflows
  • Plugin or skill marketplaces
  • Cloud or development environment credentials

In these workflows, the problem is not only that the model invented a name. The agent may retrieve attacker-controlled content, treat it as part of the task, and allow that content to influence later decisions or tool calls.

How Could HalluSquatting Scale into Agentic Botnets?

The agentic botnet risk comes from repetition. If many agents hallucinate the same resource name for a common request, one attacker-registered resource could become a repeated delivery point across different users, tools, or environments.

The original research describes a chain from hallucinated resource retrieval to context poisoning, tool invocation, and potential bot installation, depending on the agent’s permissions and safeguards.

This differs from traditional botnet growth. Instead of scanning for vulnerable devices or relying on weak credentials, an attacker could exploit predictable agent behavior in workflows where external resources are fetched automatically or with limited verification.

What Did Researchers Find?

The Agentic Botnets research reported high hallucination rates in experimental setups, including up to 85% in repository cloning scenarios and up to 100% in skill installation scenarios. The results depended on the model, prompt, resource type, and workflow.

The researchers also reported that hallucinated resource names can transfer across different foundation models and application layers. That matters because an attacker may not need to target only one model or one agent if similar hallucinated identifiers appear across environments.

How Does a HalluSquatting Attack Work?

HalluSquatting attack flow (Source)

HalluSquatting attack flow (Source)

A safe, high-level view of the attack chain looks like this:

  • Candidate discovery: The attacker identifies resource names that an LLM is likely to invent for common requests.
  • Registration: The attacker registers likely hallucinated identifiers in a repository host, marketplace, or registry.
  • Trigger: A user asks an agent to clone, install, fetch, or configure a resource.
  • Hallucination: The model outputs a plausible but incorrect identifier.
  • Retrieval: The agent fetches the attacker-controlled resource.
  • Context poisoning: The retrieved content influences the agent’s reasoning or next tool calls.
  • Tool use: If permissions allow, the agent may execute unsafe setup steps or commands.

The final impact depends on the agent architecture. An agent with read-only retrieval creates less risk than one with terminal access, installation rights, or access to sensitive tokens.

What Role Does Promptware Play?

Promptware is research terminology for malicious behavior driven by adversarial prompts inside LLM-based applications. It describes how prompt-based attacks can evolve from simple prompt injection into multi-step abuse involving privilege escalation, persistence, lateral movement, and actions on objectives.

In the HalluSquatting model, the squatted resource acts as the delivery path. The adversarial content inside that resource acts as the promptware logic.

Put simply: HalluSquatting delivers the content, while promptware tries to steer the agent.

What Could HalluSquatting Look Like in Practice?

A few non-operational examples help explain the risk.

Scenario What could happen Main risk
AI coding assistant The agent hallucinates a repository name and clones an attacker-controlled repo Malicious setup instructions or unsafe code execution
Agent skill marketplace The agent installs a hallucinated skill name that an attacker registered Context poisoning or unsafe tool use
Plugin workflow The model invents a plausible integration name and retrieves a fake plugin Supply chain exposure
Package installation The agent installs a hallucinated dependency from a public registry Dependency compromise

Permissions decide whether the incident stops at retrieval or progresses to execution. A workflow that requires verification and human approval is much safer than one that automatically fetches and executes external content.

Why Is HalluSquatting Hard to Detect?

HalluSquatting can blend into normal automation. A clone, install, or fetch action may look legitimate until the retrieved content changes the agent’s plan.

Defenders may face several challenges:

  • The resource name may look plausible.
  • The agent may retrieve it as part of an approved workflow.
  • Harmful behavior may appear only after context poisoning.
  • Traditional controls may not inspect the agent’s reasoning or tool plan.
  • Marketplace and repository reputation signals may be weak for newly created resources.

This makes agent telemetry important. Security teams need visibility into what the agent planned, what it retrieved, and which tools it used afterward.

How Can Organizations Reduce HalluSquatting Risk?

Defenses should focus on verification, tool control, and supply chain governance.

1. Require Search Before Fetch

Agent workflows should verify canonical resources before cloning, installing, or fetching. The Agentic Botnets researchers recommend a search then fetch approach, where a search or validation step happens before retrieval.

This reduces hallucination-driven retrieval and gives the system a chance to compare the proposed resource against trusted sources.

2. Enforce Tool-Layer Policies

Prompt instructions alone are not enough. Organizations should enforce controls at the tool layer.

Useful controls include:

  • Allowlisted repositories, registries, and marketplaces
  • Human approval for new installs
  • Sandboxed execution for setup scripts
  • Restrictions on terminal access
  • Separate permissions for read, install, and execute actions

3. Monitor Agent Retrieval and Tool Use

Security teams should monitor for risky sequences, such as:

  • Unknown resource retrieval followed by terminal execution
  • Newly created repositories or skills used in install workflows
  • Resource names that differ from verified canonical names
  • Fetch or install actions from low-reputation publishers
  • Tool use that happens outside the user’s original intent

These signals can help defenders catch suspicious agent behavior before it leads to broader compromise.

4. Treat Agent Marketplaces as Supply Chain Infrastructure

Low-friction publishing helps ecosystems grow, but agent-enabled installation can make abuse more scalable if verification is weak. Agent skills, plugins, repositories, and integrations should be governed like software supply chain assets.

Organizations should define:

  • Approved marketplaces and registries
  • Publisher verification requirements
  • Signing or integrity checks
  • Review rules for executable content
  • Logging requirements for agent installs and updates

How Should Teams Respond to Suspected HalluSquatting?

A practical response workflow should focus on containment and validation:

  • Identify the resource the agent retrieved.
  • Compare it with the intended canonical resource.
  • Review tool-call logs for install, shell, or privileged actions.
  • Isolate affected endpoints if execution occurred.
  • Remove untrusted artifacts.
  • Rotate tokens or credentials available to the agent.
  • Restore from known-good sources if needed.
  • Add the identifier, publisher, or domain to blocklists or review queues.
  • Update agent policies to require stronger verification before future retrieval.

The goal is to confirm whether the agent only retrieved content or also executed commands, installed software, or exposed credentials.

How Can SOCRadar Support Agentic AI Risk Monitoring?

Emerging risks like HalluSquatting show why security teams need visibility beyond traditional CVEs. The threat may involve suspicious repositories, marketplace abuse, brand impersonation, or supply chain signals before a conventional indicator appears.

SOCRadar CyberThreat Intelligence module can help teams monitor emerging attack techniques, adversary discussions, and ecosystem abuse patterns relevant to AI agent supply chains. Brand Protection can support monitoring for brand impersonation, suspicious external resources, and exposure signals that may overlap with squatting or marketplace abuse.

SOCRadar’s Brand Protection, Impersonating Domains

SOCRadar’s Brand Protection, Impersonating Domains

For organizations adopting agentic AI, this context can help security teams identify risky external resources earlier and connect agent telemetry with broader threat intelligence.

Frequently Asked Questions (FAQ)

What is HalluSquatting in simple terms?

HalluSquatting is when an attacker registers a name that an AI model is likely to invent, such as a repository or skill name. If an agent later tries to fetch that hallucinated resource, it may pull attacker-controlled content.

Is HalluSquatting the same as typosquatting?

No. Typosquatting targets human typing mistakes. HalluSquatting targets model-generated mistakes that may repeat across prompts, users, and agent workflows.

Is HalluSquatting confirmed in real-world attacks?

The available sources present HalluSquatting mainly as an emerging research-backed threat. They show practical risk and experimental success, but they do not establish widespread in-the-wild exploitation.

How can HalluSquatting lead to an agentic botnet?

If many agents retrieve the same attacker-registered hallucinated resource, and those agents have tool access, adversarial content could guide unsafe actions across multiple environments. Researchers describe this scaling effect as an agentic botnet scenario.

Conclusion

HalluSquatting turns LLM hallucinations into a supply chain risk when AI agents can fetch, install, or execute external resources. A plausible but incorrect name can lead agents to attacker-controlled content and allow that content to influence later tool use.

Organizations do not need to avoid AI agents, but they should govern agent workflows with the same care applied to software dependencies. That means verifying resources before retrieval, limiting high-risk tools, monitoring suspicious tool-call sequences, and treating agent marketplaces as part of the enterprise attack surface.