Security researchers have uncovered a new threat that allows hackers to use nine of the most popular AI tools to assemble massive botnets. The attack, called "HalluSquatting," exploits a fundamental weakness in large language models (LLMs) — their inability to say "I don't know."
What is HalluSquatting and how does it work?
HalluSquatting weaponizes the prompt injection vulnerability that has become the top threat in AI security. According to Ars Technica, large language models are inherently unable to distinguish between legitimate instructions provided by users and malicious ones sneaked into emails, source code, and other third-party content the models are processing.
This makes it trivial for attackers to surreptitiously inject malicious commands that the LLM readily follows. With no way to enforce this crucial boundary between trusted and untrusted sources, AI engine developers are left to erect elaborate guardrails designed to mitigate the damage rather than solve the root cause.
Push-based prompt injection targeting victims
To date, most prompt injections have fallen into a class known as "push," in which each potential victim is targeted. In this case, the adversary injects malicious instructions into content that the AI tool processes, effectively turning the tool into a botnet node.
"HalluSquatting weaponizes LLMs' inability to say 'I don't know.'" — Ars Technica
The attack exploits the fact that LLMs are designed to always provide an answer, even when they lack sufficient information. Hackers can feed these models fabricated data or commands that the AI treats as authoritative, leading it to execute harmful actions across a network of compromised tools.
Why this matters for AI security
The discovery highlights a critical flaw in current AI architecture. Unlike traditional software, where input validation can separate trusted commands from malicious ones, LLMs process all content — including hidden instructions — as legitimate. This means that simply using a popular AI tool could expose users to botnet recruitment.
Researchers note that the nine most popular AI tools are particularly vulnerable because they are widely integrated into workflows, giving attackers a large surface area to exploit. The botnets assembled through this method could be used for distributed denial-of-service attacks, data theft, or spreading further malware.
Our Take: A fundamental design flaw that needs urgent fixing
This is not just another security patch issue — it is a fundamental design flaw in how large language models work. The fact that LLMs cannot distinguish between a user's command and a hidden instruction in an email or code snippet means every AI tool is a potential weapon waiting to be turned against its user.
In our view, AI developers need to stop treating prompt injection as a minor nuisance and start building systems that can say "I don't know" or "I cannot process this request." Until then, every organization using these tools is at risk of unknowingly contributing to a botnet. The industry must prioritize input validation and context awareness as core features, not afterthoughts.