AI Security AI安全 14h ago Updated 11h ago 更新于 11小时前 51

‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery Mechanism “幻觉 squatting”将 AI 幻觉转化为僵尸网络交付机制

HalluSquatting is a novel, untargeted promptware attack that exploits AI hallucinations to register fake repositories or packages with malicious intent. Attackers pre-register names that LLMs frequently invent when fetching trending resources, achieving hallucination rates up to 100% for skill installations. Once an AI assistant hallucinates the squatted name, it automatically pulls and executes malicious commands via its built-in terminal, enabling agentic botnet creation. This method bypasses 特拉维夫大学等机构提出“HalluSquatting”攻击,利用AI助手的幻觉特性,通过预注册虚假代码库名称实现规模化感染。 攻击者无需直接访问用户即可实施无差别提示词注入,测试显示克隆仓库的幻觉率高达85%,技能安装达100%。 恶意代码植入虚假仓库后,当AI助手执行克隆或安装指令时,会通过内置终端自动执行攻击者预设的命令。 该攻击旨在构建“代理僵尸网络”,利用提示词注入绕过传统防火墙,形成比传统Botnet更异构且难以防御的威胁。

75
Hot 热度
70
Quality 质量
72
Impact 影响力

Analysis 深度分析

TL;DR

  • HalluSquatting is a novel, untargeted promptware attack that exploits AI hallucinations to register fake repositories or packages with malicious intent.
  • Attackers pre-register names that LLMs frequently invent when fetching trending resources, achieving hallucination rates up to 100% for skill installations.
  • Once an AI assistant hallucinates the squatted name, it automatically pulls and executes malicious commands via its built-in terminal, enabling agentic botnet creation.
  • This method bypasses traditional firewalls by leveraging prompt injection through hallucinated code execution, creating heterogeneous compromised hosts unlike traditional botnets.

Why It Matters

This research highlights a critical new attack surface where AI assistants' inherent tendency to hallucinate is weaponized for scalable cyberattacks. It demonstrates that security measures must extend beyond input sanitization to include verification of AI-generated outputs and resource references, as current defenses do not account for hallucination-driven command execution.

Technical Details

  • Adversarial Hallucination Squatting: Attackers identify common hallucinated repository/package names used by LLMs and pre-register these domains or packages on public registries.
  • High Hallucination Rates: Tests showed hallucination rates of 85% for repo-cloning prompts and 100% for skill installations across multiple foundation models, indicating broad transferability.
  • Automated Execution: When users ask AI coding tools (e.g., Cursor, Copilot, Cline) to fetch resources, the AI hallucinates the squatted name, clones the malicious repository, and executes embedded instructions via the terminal.
  • Agentic Botnet Formation: The attack facilitates the creation of agentic botnets that spread via prompt injections rather than traditional vulnerability exploitation, allowing them to infect diverse devices regardless of firewall configurations.

Industry Insight

  • Security frameworks for AI agents must incorporate strict validation mechanisms for all external resource fetches, ensuring that URLs and package names are verified against known legitimate sources before execution.
  • Developers should implement sandboxing and permission controls that prevent AI tools from executing arbitrary shell commands or installing packages without explicit, verified user confirmation.
  • Vendors need to update their models to reduce hallucination rates regarding specific technical identifiers and integrate real-time checks against registry databases to detect squatting attempts.

TL;DR

  • 特拉维夫大学等机构提出“HalluSquatting”攻击,利用AI助手的幻觉特性,通过预注册虚假代码库名称实现规模化感染。
  • 攻击者无需直接访问用户即可实施无差别提示词注入,测试显示克隆仓库的幻觉率高达85%,技能安装达100%。
  • 恶意代码植入虚假仓库后,当AI助手执行克隆或安装指令时,会通过内置终端自动执行攻击者预设的命令。
  • 该攻击旨在构建“代理僵尸网络”,利用提示词注入绕过传统防火墙,形成比传统Botnet更异构且难以防御的威胁。

为什么值得看

这篇文章揭示了AI安全领域一种全新的攻击向量,即利用大语言模型的固有缺陷(幻觉)而非软件漏洞进行攻击,这对依赖AI辅助编程的行业构成了直接威胁。它标志着网络攻击从针对基础设施转向针对AI代理的行为逻辑,迫使开发者重新审视AI工具的安全边界和输入验证机制。

技术解析

  • 攻击原理:采用“对抗性幻觉抢注”技术,攻击者预先注册那些LLM在回答关于流行资源问题时容易虚构出的仓库或包名。
  • 高幻觉率数据:研究人员在测试中发现,针对仓库克隆提示的幻觉率高达85%,针对技能安装的幻觉率达到100%,且不同基础模型产生的幻觉名称具有高度可转移性和重复性。
  • 自动化执行链:当用户使用Cursor、Copilot等工具请求获取资源时,AI会错误地调用预注册的恶意仓库,并通过其内置终端执行其中植入的恶意指令,进而部署更多工具或代码。
  • 代理僵尸网络:与传统依赖漏洞的Botnet不同,这种新型僵尸网络通过提示词注入传播,能够绕过传统防火墙,感染各种异构设备,其规模取决于AI幻觉的频率。

行业启示

  • 重塑AI安全范式:安全防御重点需从传统的代码漏洞扫描扩展到对AI模型行为逻辑和幻觉模式的监控,特别是在涉及外部资源拉取和执行命令的场景中。
  • 强化人机协作边界:AI编码助手在执行高风险操作(如克隆仓库、安装依赖、执行终端命令)前,必须引入更强的人机确认机制或沙箱隔离,防止自动化执行恶意载荷。
  • 关注供应链与生态风险:随着AI代理能力的增强,基于幻觉的无差别攻击可能成为新的基础设施威胁,行业需建立针对AI生成内容的验证标准和快速响应机制。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

LLM 大模型 Security 安全 Research 科学研究