
In short
- Researchers developed “Adversarial HalluSquatting,” an attack that uses artificial intelligence.
- This technique tricks AI agents into trusting fake databases or tools with malicious instructions.
- Tests against AI code assistants have shown that the method can lead to far-reaching performance in controlled trials.
AI concepts may be more than just wrong answers—they could be the way to destroy computing, according to new research from Tel Aviv University, the Technion, and Intuit.
In paper“Beware of Agentic Bottlenecks: Scalable Untargeted Promptware Attacks through Universal and Transferable Adversarial HalluSquatting,” researchers showed a method that uses AI models when it creates fake links to software sites and other online resources.
“The rapid growth of LLM applications has led to a new threat known as promptware,” the researchers wrote. “Although previous work has proven that attackers can use direct methods in LLM to exploit promptware under weak threats, many programs do not provide direct methods that can be used to inject prompts beyond the Internet.”
Known as adversarial hallucination squatting or “HalluSquatting,” the attack involves making false predictions about what AI models will do, registering those names, and adding malicious instructions. If the AI agent later retrieves the content it has seen, it may view the content operated by the attacker as legitimate.
The researchers said the threat comes as AI agents continue to answer questions and acquire skills to interact with computers — accessing files, searching the web, writing code, and running commands.
Those capabilities can create security gaps where agents can access information without verifying the source’s authenticity.
“Continued research has revealed a variety of Promptware attacks against real-world systems, including ChatGPT, Google Assistant, Copilot, and others,” he wrote. “These actions demonstrate that Promptware can pose economic, privacy and security risks.”
The researchers warned that this method could allow the attackers to create AI-powered botnets. A boat refers to an infected computer system or device that is controlled remotely by an attacker. Botnets are widely used in cyber attacks, including denial of service, cryptocurrency mining, distribution of malwareand ransomware campaign.
In testing, the researchers found that AI-generated product simulations performed at rates as high as 85% in the museum and 100% in the skill placement tests.
The team tested the method against AI code assistants and assistants, including Pointer, GitHub Copilot, Gemini CLI, and OpenClaw.
HalluSquatting is similar to typosquattinga cyberattack technique where attackers register domain names similar to legitimate websites or software programs to trick users. Instead of using human typing errors, HalluSquatting looks for AI-generated errors.
The news comes as researchers continue to test how attackers can use AI agents.
In April, Google researchers in detail malicious websites designed to cheat AI agents through real-time injections, including attempts to steal passwords, delete files, and manipulate payments. A special lesson on “CopyPasta“The attack showed how hidden features inside software development files can compromise AI agents to spread malicious code.
In June, an OpenClaw user reported that he was experiencing more than 6,000 an attempt by attackers who try to trick an AI agent into divulging confidential information.
Daily Debrief A letter
Start each day with top stories right here, including originals, podcasts, videos and more.





