
The scientists are working on common LLM-backed programming applications, including Cursor, Windsurf, and OpenClaw, among others. In this scenario, the bots stand a better chance given they're working with more context information, but even still, the success rates for hacking ranged from 20%-35% for Cursor, Gemini CLI, and Copilot, and increased massively to close to 80-100% on OpenClaw and its variants. The exploit mechanism doesn't even need to be crafted specifically for any bot; the researchers' results show it's universal and transferable, too.
The mean hallucination rate for names of sample GitHub repositories published in 2025 is 92.4%, while predictably, bots get the URLs wrong 0.9% for those from 2019 or earlier, though that's arguably still a concerning figure. The most effective mitigation is adjusting workflow: instructing bots to always run web searches before installing software, and providing them with additional context. Unfortunately, that's not the default way most people appear to use them.
Cybersecurity professionals have long advocated for not blindly trusting a bot's actions and severely restricting the access level granted to AI agents. And yet it's not uncommon to see bots with wide-ranging permissions over users' machines, API keys, access keys, and service accounts, to name a few — all in a bid to make it "easier" for the bot to vibe-code their pointy-haired-boss' latest brilliant idea.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals. ","collapsible":{"enabled":true,"maxHeight":250,"readMoreText":"Read more","readLessText":"Read less"}}), "https://slice.vanilla.futurecdn.net/13-4-25/js/authorBio.js"); } else { console.error('%c FTE ','background: #9306F9; color: #ffffff','no lazy slice hydration function available'); } Bruno Ferreira Social Links Navigation Contributor Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
PEnns "The most obvious outcome could be creating a reverse shell (the user's machine opens a command line that's controlled remotely)" As usual, the weakest link / silliest scenario: If the attacker ALREADY has access to the user's machine, why all this commotion about having AI do nefarious stuff…if the remote attacker can do even worse with / out AI?? Reply
rluker5 The takeaway from this story could be: don't let an AI agent find and run software for you from the internet unchecked. Who would do such a thing anyways? In the future it may be the default due to a Windows update. Just yesterday, while my daughter was at piano lessons, I was checking out water softener options and wanted to know the water hardness in my locality. I searched for the answer using Edge on my phone and could only get that AI summary and nothing else. I tried several times and it kept repeating so I switched the search engine from Bing to something else and had the AI headline paragraph again which continued to state that my water hardness was either 21 or 3.4 grains per gallon which was a worthless answer, but that was now followed by the actual search results which I used to get a real answer. Who would make my mobile search sometimes only include the AI summary as an answer? In this case Microsoft. The push for AI use at the expense of functionality or security is real. Reply
rluker5 PEnns said: "The most obvious outcome could be creating a reverse shell (the user's machine opens a command line that's controlled remotely)" As usual, the weakest link / silliest scenario: If the attacker ALREADY has access to the user's machine, why all this commotion about having AI do nefarious stuff…if the remote attacker can do even worse with / out AI?? The weakest link is that agentic AI is the one that gives the attacker this access by running code from an imposter website, which all agentic AIs apparently are prone to doing. Reply
edzieba PEnns said: "The most obvious outcome could be creating a reverse shell (the user's machine opens a command line that's controlled remotely)" As usual, the weakest link / silliest scenario: If the attacker ALREADY has access to the user's machine, why all this commotion about having AI do nefarious stuff…if the remote attacker can do even worse with / out AI?? Did you not actually read the article, or merely not understand it? This attack allows an attacker to host malicious code on Github (or similar repos) with names similar to popular repos – same concept as DNS typosquatting, but targeting LLM hallucination malformations rather than human typing malformations – and all that attacker then needs to do is sit and wait, as 'AI agents' will hallucinate names similar to the requested repo, find that hallucinated repo already exists, then blindly execute code from that repo. The attacker does not require any prior access to the targets, the targets come to them and pwn themselves. Reply
PEnns edzieba said: Did you not actually read the article, or merely not understand it? This attack allows an attacker to host malicious code on Github (or similar repos) with names similar to popular repos – same concept as DNS typosquatting, but targeting LLM hallucination malformations rather than human typing malformations – and all that attacker then needs to do is sit and wait, as 'AI agents' will hallucinate names similar to the requested repo, find that hallucinated repo already exists, then blindly execute code from that repo. The attacker does not require any prior access to the targets, the targets come to them and pwn themselves. Nah, us peasants don't. Only you can read and comprehend and willfully skip over the quoted part, FROM THE ARTICLE! Reply
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/hallusquatting-is-the-latest-agentic-ai-exploit-where-models-dream-up-potentially-malicious-urls-in-tool-calls-attack-exploits-a-fundamental-weakness-in-every-available-model#main
- https://www.tomshardware.com/subscription
- Fi Ultra becomes first dog tracker powered by Starlink satellites – the Fi Ultra Dog Tracker makes Fido trackable via satellite, onboard GPS, and LTE connectivi
- Professor suspected AI-powered cheating on take-home midterms, makes finals in-person — only two students scored within 10% of their midterm score
- Future Nostalgia Project asks retro hoarders to ‘Copy That Floppy!’ — flips the early 1990s anti-piracy campaign on its head to encourage budding archivists
- How Open Models Are Driving AI Research
- Cracked version of Assassin’s Creed Black Flag Resynced leaked days prior to official release despite Denuvo DRM protection — Denuvo unable to stop crackers, wi
Informational only. No financial advice. Do your own research.