Back to Blog

Are Your AI Coding Tools Safe? 2026 Security Risks

A new attack called HalluSquatting is turning popular AI coding assistants into botnet installers. Here's what happened and how to protect yourself.

Are Your AI Coding Tools Safe? 2026 Security Risks
J
Jatin Kumar
July 10, 2026

Security researchers this week disclosed a new attack technique, dubbed HalluSquatting, that can turn some of the most widely used AI coding tools into unwitting parts of a botnet. If you use an AI coding assistant with terminal access, this is worth understanding before your next coding session.

What Happened


Researchers from Tel Aviv University, Technion, and Intuit found that AI coding assistants regularly hallucinate believable-sounding names for packages, repositories, or plugins that don't actually exist. Attackers can predict which fake names a model is statistically likely to invent for common prompts like "clone this repository," then register those exact names in advance and plant malicious code behind them. When an unsuspecting developer later asks their AI assistant to fetch that "package," the assistant retrieves the attacker's trap instead — and, in tools with terminal access, can end up executing it.


The technique was demonstrated against several popular tools, including well-known AI coding assistants and CLI-based agents. Because a single planted fake name can be hit by many different users asking similar prompts, researchers describe this as a scalable path toward assembling a botnet rather than a one-off, targeted attack.

Why This Matters More in "Auto-Run" Modes


The risk grows significantly when a coding assistant is running in a mode that skips human confirmation before executing fetched code — sometimes called auto-run, "yolo mode," or permission-bypass flags in various CLI tools. In these modes, the assistant can act on a hallucinated instruction without a person ever reviewing what's about to run, closing the gap between hallucination and actual code execution on your machine.

How to Protect Yourself When Using AI Coding Assistants



  • Avoid auto-run or "skip permissions" modes for anything that fetches external resources, especially on machines with sensitive access.

  • Verify package and repository names independently before letting an assistant install or clone something it suggested, particularly for less common libraries.

  • Review generated commands before execution rather than approving actions in bulk.

  • Keep coding assistants updated, since vendors are actively patching against this class of attack as it becomes public knowledge.


If you're evaluating which coding assistant to trust with elevated permissions, it's worth comparing vendor security practices directly — our AI tools for developers directory and AI code generator category both list current options with their key features side by side.

This Isn't Entirely New — It's an Evolution of "Slopsquatting"


HalluSquatting builds on a previously known problem called slopsquatting, where attackers publish malicious software packages under names that AI coding tools commonly hallucinate. What's different here is the scope: instead of targeting software package names specifically, HalluSquatting extends the same idea to a broader range of "agentic" resources an AI assistant might try to fetch, including repository names and AI skills or plugins.

Why AI Hallucinations Keep Creating New Security Problems


Large language models can't reliably tell the difference between an instruction from their actual user and one hidden inside content they're processing — a limitation known broadly as prompt injection. Combine that with a model's tendency to confidently invent plausible-sounding names when it doesn't know the real answer, and you get an entry point attackers can predict and pre-position against. This isn't a bug that gets patched once; it's a structural challenge in how current AI models work, meaning developers should expect similar attack patterns to keep surfacing as agentic AI tools gain more real-world permissions.

What This Means for Non-Developers Using AI Tools


Even if you're not writing code, this story is a useful reminder that any AI tool given permission to take real-world actions — installing something, sending an email, making a purchase — carries a different risk profile than a chatbot that only produces text. Before granting broad permissions to any AI tool, it's worth understanding exactly what it can do autonomously versus what still requires your explicit approval. Our full AI tools directory notes key capabilities and permission models for each listed tool to help with exactly this kind of evaluation.

Should You Stop Using AI Coding Assistants?


No — the practical response isn't to abandon AI coding tools, but to use them with the same caution you'd apply to any tool with terminal access. Most major vendors are already responding to this disclosure with security patches, and the core risk is manageable by avoiding auto-run modes and reviewing fetched resources before execution. Tools built with tighter default permission models are naturally lower risk, which is worth factoring into your next tool comparison.

Frequently Asked Questions

What is HalluSquatting?


It's a security technique where attackers predict and register the fake package or resource names an AI model is likely to hallucinate, then plant malicious code behind those names so it gets executed when an assistant fetches them.

Which AI tools were affected?


Researchers demonstrated the technique against several popular AI coding assistants and CLI-based agentic tools that can fetch external resources and execute commands.

Is this the same as a data breach?


No, this is a code-execution vulnerability rather than a breach of a specific company's stored data — the risk is on the end user's machine when their AI assistant fetches and runs attacker-controlled code.

How can I tell if my AI coding assistant is at risk?


If it can fetch external resources (packages, repositories, plugins) and execute commands with limited human review, it falls into the risk category researchers described. Checking for vendor security advisories is the fastest way to confirm current patch status.

Final Thoughts


HalluSquatting is a good reminder that giving AI tools real-world permissions — running commands, fetching resources, executing code — introduces risks that a simple chatbot doesn't carry. Review permission settings on any AI coding assistant you use, and compare current options with security and permission models in mind through the full AI tools directory on AI List Stack.

Want to stay updated?

Get the latest AI tool reviews and news delivered to your inbox.