Nine of the most widely deployed AI tools on the market can be abused to set up massive botnets, according to new research from Palo Alto Networks' security unit Unit 42. The attack vector has been dubbed "HalluSquatting" — and it builds on something many users already know as an annoyance: AI models making things up.
What is HalluSquatting?
When an AI model doesn't know the answer to a question, it rarely says "I don't know." Instead, it generates a response that sounds plausible — complete with domain names, download links, and package names that don't actually exist. This is known as hallucination.
HalluSquatting turns this weakness into a weapon. Attackers analyze which fake domains and package names AI models tend to fabricate — and then register them. When a developer asks an AI assistant for help installing a library or locating a resource, they can unknowingly be directed to a page controlled by a criminal actor.
According to Ars Technica, this is not a hypothetical threat: Unit 42 analyzed 2.1 million URLs generated by two large language models and found more than 13,000 confirmed malicious links.

The scale makes it especially dangerous
A particularly alarming finding is that different AI models often hallucinate the same names. This means an attacker who registers a single fake domain can potentially reach users across many different tools and platforms — from developer utilities to customer-facing chatbots.
Different models often hallucinate the same names — a single malicious registration can hit users across many tools simultaneously.
This opens the door to classic attack scenarios such as phishing pages, malware distribution, and supply-chain attacks — all triggered by a user following a link the AI model invented itself.
Developers and businesses are exposed
The nine vulnerable tools cited in the research are among the most widely used in the industry globally. Developers who rely on AI coding assistants to find packages, libraries, or documentation are at particular risk. So are businesses that have integrated AI chatbots into customer-facing interfaces where users may be recommended external links.
The vulnerabilities do not stem from a specific bug in the code, but from the very architecture of language models: they are trained to generate plausible responses, not to verify whether what they say is actually true.
How tool developers can protect themselves
Security researchers outline several measures that can significantly reduce the risk, according to Unit 42's analysis:
According to the research material, OpenAI has demonstrated a reduction of more than 30 percent in hallucinations on clinical questions after fine-tuning on medical datasets. Meta AI is reported to have developed a dedicated hallucination detection model that flagged errors in 92 percent of test cases.
There is reason to note, however, that these measures are not universally implemented. The researchers behind the Unit 42 analysis emphasize that many tools still lack basic protection mechanisms against this type of exploitation — making HalluSquatting an active and real threat as of today.
What should users do?
Until vendors implement adequate security measures, developers and other professional users should always verify domains, package names, and links suggested by AI tools against official and trusted sources. Never blindly copy a link from an AI response — look up the package directly in official registries such as npm, PyPI, or similar.
For businesses offering AI-powered customer interfaces, it is important to ensure that the model cannot generate external links without a verification mechanism running in the background.
