Home/ Blog/ Security news/ Article
Blog · Security news

Three attacks in one week turned AI coding agents into an unmonitored way onto your network

HalluSquatting and Friendly Fire show AI coding agents running attacker code with a developer's privileges. No CVE, no patch. Here is the detection posture.

Open unattended gate in an intact wall with a glowing conduit passing straight through

A developer laptop running an AI coding agent with auto-run enabled is now one of the least monitored ways an attacker can execute code inside your network. That is the honest read of a single week in early July, when three separate research groups published attacks that all end the same way: the agent runs code it was never handed, using the privileges of the person sitting in front of it. There is no CVE to close and no vendor patch coming, because none of these are bugs in one product. They are the same design gap surfacing three ways.

On July 8, researchers at Tel Aviv University, the Technion, and Intuit disclosed HalluSquatting, a technique that turns an AI model's habit of inventing package names into a delivery channel for botnet malware. A day later, the AI Now Institute published Friendly Fire, showing that agents built to audit untrusted code can be talked into executing it. The same week brought GhostApproval, reported as a set of symlink flaws that let a malicious repository run code inside coding agents. Read together, they describe a new endpoint class, not three isolated advisories.

Hallucination-squatting jumped from domains to code execution

We covered the domain version of this last week: Unit 42 found attackers registering the fake web addresses models reliably invent, so a chatbot's confident answer sends real users to attacker infrastructure. HalluSquatting is the same idea moved up the stack, from a phishing problem to a code-execution one. Ask a coding assistant to pull a well-known tool and it will occasionally answer with a plausible-looking package that was never published. An attacker who learns which fabricated name a given model favors can register it first, on a package registry, a plugin store, or GitHub, and load it with instructions.

What makes it a reliable attack rather than a lucky one is the repeatability. The Tel Aviv team measured up to 85 percent consistency in the fake repository name a model produced across different phrasings, and reported a 100 percent hallucination rate on some skill installs. That is the point most coverage skated past: an attacker registers a hallucinated name once and then collects every developer whose agent invents it, across models from different vendors. A probabilistic quirk becomes a deterministic distribution list. The researchers demonstrated it against nine agents, including Cursor, Gemini CLI, Windsurf, GitHub Copilot, and Cline, and framed the reach as botnet-grade: enough compromised developer machines to run cryptomining, distributed denial of service, or coordinated ransomware across the networks those developers can touch.

Friendly Fire: the auditor becomes the executor

The AI Now Institute study attacks the problem from a different angle and lands in the same place. Researchers Boyan Milanov and Heidy Khlaaf planted directions inside an ordinary README.md in an open-source repository, dressed up an attacker binary to look like build output from a trusted source file, and pointed a code-auditing agent at the project. Told to review it, the agent treated the file's instruction to execute a bundled security.sh helper as part of its assignment and ran the hidden payload. They reproduced this against Claude Code and OpenAI Codex.

Their conclusion is the line every security team should sit with: no future model release closes this, because the model still has no dependable way to tell the code it is examining apart from any commands buried inside that code. That is the shared root cause under all three disclosures. An agent that ingests untrusted content and can also act, fetch, compile, run, has no dependable boundary between data and command. Instruction-versus-data confusion is not new; putting it behind a shell on a developer's machine is.

Disclosure (early July 2026)MechanismEnds inCVE / patch
HalluSquattingModel invents a package name; attacker pre-registers itAttacker code fetched and runNone
Friendly FireMalicious README instructions read as a taskAuditing agent runs the payloadNone
GhostApprovalSymlink handling in a malicious repoRepo runs code in the agentNone
Source: HalluSquatting (Tel Aviv University, Technion, Intuit); Friendly Fire (AI Now Institute); GhostApproval, as reported.

This is an endpoint problem, not a vulnerability problem

Security teams are organized to answer "what do we patch." These attacks give no answer, and that is the trap. There is no fixed version to move to, no advisory to track to closed, nothing for a scanner to flag. If your program routes AI-agent risk through vulnerability management, it will show green while the exposure grows, because vulnerability management measures things with CVEs and these have none.

Reframe it as what it is. A developer workstation running an agent that can fetch remote content and execute commands, with approvals turned off, is an endpoint that runs attacker-influenced code with a human's standing privileges and reaches everything that human reaches: source, cloud credentials, internal APIs, production. That is the definition of a high-value host, and it is usually one of the least instrumented machines you own. The relevant controls are the ones you already apply to privileged endpoints, moved onto the coding agent: acceptable-use policy, least privilege, and process telemetry. Our running series on a clean repo that hands over a shell, an old bash trick that revives blocked commands, and an agent coaxed into leaking a private repo is not a list of unrelated bugs. It is the same endpoint class failing over and over.

The telemetry that catches this is process ancestry, not signatures

None of these attacks need a new malicious binary sitting on disk for a scanner to find. HalluSquatting arrives as a package the developer meant to install; Friendly Fire runs a script the agent decided to run. What they cannot hide is the process tree. The coding agent is a known parent process, a Node or Python CLI, and when it spawns a shell, a compiler, a curl or wget, or opens an outbound connection it did not open a minute ago, that ancestry is the anomaly. Build detections on it: the agent's binary spawning an interpreter or network client, package-manager installs that fire outside a human-initiated build, and outbound connections parented by the editor rather than the browser. This is the layer threat hunting and endpoint monitoring already watch on servers; a managed detection layer that reads process ancestry and outbound flows and alerts on the deviation is the same discipline pointed at a machine most teams left out of scope.

Turn off auto-run before you write a single detection

The cheapest control ships in the tools themselves. The single change that defuses most of this is removing the agent's permission to act without a human clicking yes: disable the skip-approval and "yolo" auto-run modes that let an agent fetch and execute in one uninterrupted step. That converts every one of these attacks from silent execution into a prompt a developer has to approve, which is exactly the moment a fake package name or an odd script invocation becomes visible. Pair it with a standing rule the whole team hears: the name an assistant gives you is a prediction, not a verified fact, so confirm a package or repository exists before you let the agent pull it. Then instrument the workstations and hunt the process tree for the days the policy slips. Patching is not on the table here. Configuration and detection are the whole game.

Topics

Frequently asked questions

What is HalluSquatting?

HalluSquatting is an attack that exploits an AI coding assistant's habit of inventing package, repository, or plugin names. Researchers from Tel Aviv University, the Technion, and Intuit showed that attackers can pre-register the fake names a model reliably produces, seed them with malicious instructions, and have the agent fetch and run attacker code.

How is HalluSquatting different from phantom squatting?

Phantom squatting registers hallucinated web domains and ends in phishing or a misdirected request. HalluSquatting registers hallucinated package and repository names and ends in code execution on the developer's machine. It is the same hallucination-squatting idea moved from network traffic up to the software supply chain.

Why is there no patch for these AI coding agent attacks?

Because none is a bug in a single product. They exploit a shared design gap: agents that read untrusted content and can also act cannot reliably tell the data they are reading from the instructions they should follow. The AI Now Institute researchers state directly that a model update does not fix it.

How can a security team detect these attacks?

Watch process ancestry, not file signatures. The coding agent is a known parent process. Alert when it spawns a shell, compiler, or network client like curl, when package installs fire outside a human-initiated build, or when the editor opens new outbound connections. The malicious code has no unique binary to scan for.

What is the single most effective control?

Disable the auto-run or "yolo" modes that let an agent fetch and execute without approval. That turns silent execution into a prompt a developer must accept, which is where a fake package name or an unexpected script becomes visible. Add a rule to verify any name an AI suggests before installing it.

Which AI coding agents are affected by HalluSquatting?

The Tel Aviv University team demonstrated it against nine agents, including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, and Cline. Because the underlying weakness is model hallucination plus the ability to act, the technique is not specific to one vendor and generalizes across agents that can fetch and run third-party resources.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.