HalluSquatting weaponizes AI-hallucinated npm packages
Tel Aviv researchers register the fake package names AI coding assistants keep inventing. Up to 100% hit rate on skill installs, no confirmed exploitation yet.
AI coding assistants sometimes reach for packages that do not exist. New research out of Tel Aviv University turns that habit into a delivery mechanism: work out which fake names an assistant reliably invents for a given prompt, register those names on npm first, and wait for the assistant to fetch them onto a developer’s workstation. The authors — Aya Spira, working in Ben Nassi’s group at Tel Aviv University, with Stav Cohen (Technion) and Ron Bitton (Intuit) — call the technique HalluSquatting, and the Hacker News writeup published this morning summarizes their measurements.
The measurements are the part worth reading. Across Cursor, Windsurf, GitHub Copilot, Cline, Google Gemini CLI, and an open-source Claude-style family, the same prompt phrasings produced the same wrong package name in up to 85% of repository requests and, for plugin/skill installs, up to 100%. That is not a jitter number. That is the assistant confidently handing the same imaginary name back to different users, day after day, until somebody registers it.
The registry is the substrate here
npm does not care whether a package name matches something a human ever
typed. It does not verify that a package’s package.json repository field
points at the code that got published. It does not check whether the name
looks like a plausible hallucination of a real project. It accepts the
upload, indexes the metadata, and hands it back on request. That is not
new. It is the same substrate the DPRK-linked Rollup polyfill
cluster
sat on last week, the same substrate the 108-package PolinRider
aggregation
sat on the week before, and the same substrate typo-squatters have used
against Python developers since before npm existed.
What HalluSquatting changes is the targeting oracle. Classic typo-squatting
guesses at what a human might mistype — requests vs request, lodash
vs lodahs. The Tel Aviv team measured what an LLM reliably mistypes for
you, at scale, deterministically enough that the same wrong answer comes
back to different users. The registry does not need to change for that to
matter; the guessing game just got a better guesser.
What’s confirmed and what isn’t
Confirmed:
- HalluSquatting as a lab-verified technique with the measurement rates above, published to the researchers’ project site and reported by The Hacker News on 2026-07-08.
- One earlier real-world case the paper cites for context: in January
2026, a hallucinated npm package named
react-codeshiftwas found spreading across roughly 237 downstream projects after AI-authored instructions pointed at the wrong name. That predates HalluSquatting as a named technique and was not part of a planned campaign, but it is the same failure mode arriving accidentally.
Not confirmed:
- Any deliberately weaponized HalluSquatting package deployed in the wild as of publication. The researchers describe the attack and demonstrate it against production assistants; they do not report a threat actor running it end-to-end. If that changes we will update.
There is no CVE attached. This is a class of attack against a workflow, not a specific software flaw.
One thing to actually do this week
Pin the packages your AI assistant is allowed to install, or turn off
its ability to install packages unattended at all. Both Cursor and
Copilot’s agent modes will happily run npm install <whatever> when
they think they need to; that is the specific hook HalluSquatting relies
on. A short allowlist — the actual dependencies your project already
has — turns “the assistant hallucinated a package name” from an install
into an error message. It does not fix npm. It removes the one step in
the chain that puts unreviewed code on a developer machine.
The researchers’ recommended mitigations — pre-registering commonly hallucinated names, requiring the assistant to resolve a name to a real repository before fetching, restricting reuse of well-known repository names — all sit on the registry side and are worth lobbying for. In the meantime, the allowlist sits on your side, and it works today.
Found this useful? Share it.

