
The scientists are working on common LLM-backed programming applications, including Cursor, Windsurf, and OpenClaw, among others. In this scenario, the bots stand a better chance given they're working with more context information, but even still, the success rates for hacking ranged from 20%-35% for Cursor, Gemini CLI, and Copilot, and increased massively to close to 80-100% on OpenClaw and its variants. The exploit mechanism doesn't even need to be crafted specifically for any bot; the researchers' results show it's universal and transferable, too.
The mean hallucination rate for names of sample GitHub repositories published in 2025 is 92.4%, while predictably, bots get the URLs wrong 0.9% for those from 2019 or earlier, though that's arguably still a concerning figure. The most effective mitigation is adjusting workflow: instructing bots to always run web searches before installing software, and providing them with additional context. Unfortunately, that's not the default way most people appear to use them.
Cybersecurity professionals have long advocated for not blindly trusting a bot's actions and severely restricting the access level granted to AI agents. And yet it's not uncommon to see bots with wide-ranging permissions over users' machines, API keys, access keys, and service accounts, to name a few — all in a bid to make it "easier" for the bot to vibe-code their pointy-haired-boss' latest brilliant idea.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals. ","collapsible":{"enabled":true,"maxHeight":250,"readMoreText":"Read more","readLessText":"Read less"}}), "https://slice.vanilla.futurecdn.net/13-4-25/js/authorBio.js"); } else { console.error('%c FTE ','background: #9306F9; color: #ffffff','no lazy slice hydration function available'); } Bruno Ferreira Social Links Navigation Contributor Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
PEnns "The most obvious outcome could be creating a reverse shell (the user's machine opens a command line that's controlled remotely)" As usual, the weakest link / silliest scenario: If the attacker ALREADY has access to the user's machine, why all this commotion about having AI do nefarious stuff…if the remote attacker can do even worse with / out AI?? Reply
rluker5 The takeaway from this story could be: don't let an AI agent find and run software for you from the internet unchecked. Who would do such a thing anyways? In the future it may be the default due to a Windows update. Just yesterday, while my daughter was at piano lessons, I was checking out water softener options and wanted to know the water hardness in my locality. I searched for the answer using Edge on my phone and could only get that AI summary and nothing else. I tried several times and it kept repeating so I switched the search engine from Bing to something else and had the AI headline paragraph again which continued to state that my water hardness was either 21 or 3.4 grains per gallon which was a worthless answer, but that was now followed by the actual search results which I used to get a real answer. Who would make my mobile search sometimes only include the AI summary as an answer? In this case Microsoft. The push for AI use at the expense of functionality or security is real. Reply
rluker5 PEnns said: "The most obvious outcome could be creating a reverse shell (the user's machine opens a command line that's controlled remotely)" As usual, the weakest link / silliest scenario: If the attacker ALREADY has access to the user's machine, why all this commotion about having AI do nefarious stuff…if the remote attacker can do even worse with / out AI?? The weakest link is that agentic AI is the one that gives the attacker this access by running code from an imposter website, which all agentic AIs apparently are prone to doing. Reply
edzieba PEnns said: "The most obvious outcome could be creating a reverse shell (the user's machine opens a command line that's controlled remotely)" As usual, the weakest link / silliest scenario: If the attacker ALREADY has access to the user's machine, why all this commotion about having AI do nefarious stuff…if the remote attacker can do even worse with / out AI?? Did you not actually read the article, or merely not understand it? This attack allows an attacker to host malicious code on Github (or similar repos) with names similar to popular repos – same concept as DNS typosquatting, but targeting LLM hallucination malformations rather than human typing malformations – and all that attacker then needs to do is sit and wait, as 'AI agents' will hallucinate names similar to the requested repo, find that hallucinated repo already exists, then blindly execute code from that repo. The attacker does not require any prior access to the targets, the targets come to them and pwn themselves. Reply
PEnns edzieba said: Did you not actually read the article, or merely not understand it? This attack allows an attacker to host malicious code on Github (or similar repos) with names similar to popular repos – same concept as DNS typosquatting, but targeting LLM hallucination malformations rather than human typing malformations – and all that attacker then needs to do is sit and wait, as 'AI agents' will hallucinate names similar to the requested repo, find that hallucinated repo already exists, then blindly execute code from that repo. The attacker does not require any prior access to the targets, the targets come to them and pwn themselves. Nah, us peasants don't. Only you can read and comprehend and willfully skip over the quoted part, FROM THE ARTICLE! Reply
JohnyFin Don't know …to cry or laugh .. Reply
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/hallusquatting-is-the-latest-agentic-ai-exploit-where-models-dream-up-potentially-malicious-urls-in-tool-calls-attack-exploits-a-fundamental-weakness-in-every-available-model#main
- https://www.tomshardware.com/subscription
- While the U.S. flip-flops on chip sanctions, China is building its own chip supply market — export controls are creating conditions for a Sino-Russian chip trad
- Tencent is reportedly in talks to acquire Manus from Meta, following Beijing intervention — company expects to remain independent of Chinese tech giant
- New hack exploits AI hallucinations to trick agents into running malicious code — 'HalluSquatting' attack exploits a fundamental weakness in every available mod
- Micron lifts U.S. spending to $250 billion — company takes $500 million position in America's only 300 mm wafer plant
- Hotspot temperature sensor on Nvidia's Blackwell gaming GPUs is still accessible if you have access to Nvidia's internal MODS tool — Nvidia RTX 5070 Ti caught t
Informational only. No financial advice. Do your own research.