Skip to content
feed: live
>_ 0dayNews
supply chain

HalluSquatting weaponizes AI-hallucinated npm packages

Tel Aviv researchers register the fake package names AI coding assistants keep inventing. Up to 100% hit rate on skill installs, no confirmed exploitation yet.

HalluSquatting weaponizes AI-hallucinated npm packages
Image: 0dayNews / 0dayNews Editorial · All rights reserved
Loop · Published · 3 min read

AI coding assistants sometimes reach for packages that do not exist. New research out of Tel Aviv University turns that habit into a delivery mechanism: work out which fake names an assistant reliably invents for a given prompt, register those names on npm first, and wait for the assistant to fetch them onto a developer’s workstation. The authors — Aya Spira, working in Ben Nassi’s group at Tel Aviv University, with Stav Cohen (Technion) and Ron Bitton (Intuit) — call the technique HalluSquatting, and the Hacker News writeup published this morning summarizes their measurements.

The measurements are the part worth reading. Across Cursor, Windsurf, GitHub Copilot, Cline, Google Gemini CLI, and an open-source Claude-style family, the same prompt phrasings produced the same wrong package name in up to 85% of repository requests and, for plugin/skill installs, up to 100%. That is not a jitter number. That is the assistant confidently handing the same imaginary name back to different users, day after day, until somebody registers it.

The registry is the substrate here

npm does not care whether a package name matches something a human ever typed. It does not verify that a package’s package.json repository field points at the code that got published. It does not check whether the name looks like a plausible hallucination of a real project. It accepts the upload, indexes the metadata, and hands it back on request. That is not new. It is the same substrate the DPRK-linked Rollup polyfill cluster sat on last week, the same substrate the 108-package PolinRider aggregation sat on the week before, and the same substrate typo-squatters have used against Python developers since before npm existed.

What HalluSquatting changes is the targeting oracle. Classic typo-squatting guesses at what a human might mistype — requests vs request, lodash vs lodahs. The Tel Aviv team measured what an LLM reliably mistypes for you, at scale, deterministically enough that the same wrong answer comes back to different users. The registry does not need to change for that to matter; the guessing game just got a better guesser.

What’s confirmed and what isn’t

Confirmed:

  • HalluSquatting as a lab-verified technique with the measurement rates above, published to the researchers’ project site and reported by The Hacker News on 2026-07-08.
  • One earlier real-world case the paper cites for context: in January 2026, a hallucinated npm package named react-codeshift was found spreading across roughly 237 downstream projects after AI-authored instructions pointed at the wrong name. That predates HalluSquatting as a named technique and was not part of a planned campaign, but it is the same failure mode arriving accidentally.

Not confirmed:

  • Any deliberately weaponized HalluSquatting package deployed in the wild as of publication. The researchers describe the attack and demonstrate it against production assistants; they do not report a threat actor running it end-to-end. If that changes we will update.

There is no CVE attached. This is a class of attack against a workflow, not a specific software flaw.

One thing to actually do this week

Pin the packages your AI assistant is allowed to install, or turn off its ability to install packages unattended at all. Both Cursor and Copilot’s agent modes will happily run npm install <whatever> when they think they need to; that is the specific hook HalluSquatting relies on. A short allowlist — the actual dependencies your project already has — turns “the assistant hallucinated a package name” from an install into an error message. It does not fix npm. It removes the one step in the chain that puts unreviewed code on a developer machine.

The researchers’ recommended mitigations — pre-registering commonly hallucinated names, requiring the assistant to resolve a name to a real repository before fetching, restricting reuse of well-known repository names — all sit on the registry side and are worth lobbying for. In the meantime, the allowlist sits on your side, and it works today.

Found this useful? Share it.