AI Security AI安全 2d ago Updated 2d ago 更新于 2天前 51

New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware 新型HalluSquatting攻击可欺骗AI编程助手安装僵尸网络恶意软件

Researchers introduce "HalluSquatting," a novel attack vector where adversaries register fake software package names that AI coding assistants frequently hallucinate. The attack exploits the combination of AI hallucinations and indirect prompt injection, tricking autonomous agents into fetching and executing malicious code from the registered fake repositories. Tests demonstrate high success rates (up to 85% for repos, 100% for skills) across major AI coding assistants like Cursor, GitHub Copilo 研究人员提出“HalluSquatting”攻击,利用AI编程助手的幻觉特性预测其生成的虚假资源名称并抢先注册。 攻击者通过在注册的虚假仓库中植入提示注入指令,诱导AI助手自动拉取并执行恶意代码,从而组建僵尸网络。 该攻击成功绕过传统防火墙,针对Cursor、Copilot等多个主流AI编程工具,无需用户交互即可在本地机器上运行代码。 核心防御策略包括强制AI在获取资源前进行真实存在性验证,以及禁止AI助手在未人工确认的情况下自动执行命令。

75
Hot 热度
70
Quality 质量
72
Impact 影响力

Analysis 深度分析

TL;DR

  • Researchers introduce "HalluSquatting," a novel attack vector where adversaries register fake software package names that AI coding assistants frequently hallucinate.
  • The attack exploits the combination of AI hallucinations and indirect prompt injection, tricking autonomous agents into fetching and executing malicious code from the registered fake repositories.
  • Tests demonstrate high success rates (up to 85% for repos, 100% for skills) across major AI coding assistants like Cursor, GitHub Copilot, and Gemini CLI.
  • This method enables the creation of a heterogeneous botnet by leveraging the AI agent as a delivery mechanism, bypassing traditional network defenses and requiring no user interaction.
  • Mitigation strategies include enforcing pre-fetch lookups to ground AI in reality and disabling auto-run permissions for fetched resources.

Why It Matters

This research highlights a critical security vulnerability in the growing ecosystem of autonomous AI coding agents, demonstrating how model inaccuracies can be weaponized to compromise user infrastructure. It signals a shift in threat landscapes where AI models themselves become vectors for supply chain attacks, necessitating immediate changes in how developers configure and monitor AI-assisted development environments.

Technical Details

  • Attack Mechanism: The attack chains two vulnerabilities: AI hallucination (predictably inventing non-existent package names for trending tools) and indirect prompt injection (embedding malicious instructions within the fetched fake package).
  • Exploitation Process: Adversaries identify trending resources, determine the specific fake names the AI generates through repeated queries, register those names on platforms like GitHub or npm, and inject adversarial commands into the package metadata or code.
  • Execution Vector: When a user’s AI assistant attempts to fetch the real resource, it retrieves the attacker’s fake package instead. The injected instructions hijack the agent’s planning module, causing it to execute arbitrary commands, such as installing botnet malware, using its built-in terminal capabilities.
  • Effectiveness: Experiments showed consistent hallucination patterns across different models and phrasings, with the AI selecting the same fake name in up to 85% of repository requests and 100% of skill installs.
  • Targeted Systems: The attack was successfully demonstrated on Cursor, Windsurf, GitHub Copilot, Cline, Google’s Gemini CLI, and OpenClaw, proving its applicability across diverse AI agent architectures.

Industry Insight

  • Security Configuration: Developers and organizations must disable "auto-run" or "skip-permission" modes in AI coding assistants. Agents should never be allowed to execute commands from fetched resources without explicit human review.
  • Agent Design: Tool builders need to implement grounding mechanisms, such as mandatory pre-fetch lookups or API validations, to ensure the AI references existing, verified resources rather than relying on probabilistic name generation.
  • Supply Chain Vigilance: Security teams should monitor for "slopsquatting" or "phantom squatting" activities in package registries and domain markets, treating AI-generated hallucinations as a potential attack surface for social engineering and code injection.

TL;DR

  • 研究人员提出“HalluSquatting”攻击,利用AI编程助手的幻觉特性预测其生成的虚假资源名称并抢先注册。
  • 攻击者通过在注册的虚假仓库中植入提示注入指令,诱导AI助手自动拉取并执行恶意代码,从而组建僵尸网络。
  • 该攻击成功绕过传统防火墙,针对Cursor、Copilot等多个主流AI编程工具,无需用户交互即可在本地机器上运行代码。
  • 核心防御策略包括强制AI在获取资源前进行真实存在性验证,以及禁止AI助手在未人工确认的情况下自动执行命令。

为什么值得看

这篇文章揭示了AI代理(Agent)自动化能力带来的新型供应链安全风险,特别是当AI具备自主联网和执行权限时,其幻觉可能被转化为精确的攻击向量。对于AI开发者和企业安全团队而言,这标志着防护重点需从单纯的模型准确性转向对代理行为边界和外部资源验证机制的严格管控。

技术解析

  • 攻击原理:结合“幻觉”(Hallucination)与“间接提示注入”(Indirect Prompt Injection)。攻击者通过反复询问AI获取热门但不存在于训练数据中的资源名,统计出AI最常编造的假名,随后在GitHub等平台注册该名称并植入恶意指令。
  • 执行流程:当用户请求安装该资源时,AI因幻觉指向攻击者注册的假仓库,AI助手自动拉取代码并执行其中的隐藏指令(如“安装bot”),利用内置终端权限在本地部署恶意软件。
  • 实验结果:在多项测试中,AI对特定错误名称的预测一致性高达85%-100%。攻击成功作用于Cursor、Windsurf、GitHub Copilot、Cline及Gemini CLI等工具,证明了跨平台的有效性。
  • 基础设施漏洞:现有的应用商店扫描机制未能有效拦截此类恶意技能包,且许多AI助手默认或允许开启“自动运行”模式(如跳过权限确认),为攻击提供了执行环境。

行业启示

  • 重塑AI代理安全架构:开发者必须重新评估AI代理的权限模型,默认禁用自动执行外部资源的命令,引入“先验证后操作”的工作流,确保所有外部资源存在性经过真实数据库查询而非依赖模型记忆。
  • 市场与生态治理责任:代码托管平台和插件市场需建立更严格的名称注册审核机制,监测异常的高频注册行为,并加强对上传内容的自动化恶意代码检测,防止成为AI幻觉攻击的跳板。
  • 安全意识升级:企业和用户需警惕AI助手的“过度自信”,在启用自动化功能时应保持人工监督,特别是在涉及系统配置、网络请求和代码执行的关键环节,避免将完全控制权交给缺乏现实世界校验能力的AI。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Code Generation 代码生成 Security 安全 LLM 大模型