简而言之 研究人员推出了“对抗性 HalluSquatting”,这是一种利用人工智能生成幻觉的攻击。 该技术诱骗人工智能代理信任包含恶意指令的虚假存储库或工具。 针对流行的人工智能编码助手的测试表明,该方法可以在受控实验中实现远程代码执行。 根据特拉维夫大学、以色列理工学院和 Intuit 的最新研究,人工智能的幻觉可能不仅仅是错误的答案,它们还可能成为黑客破坏计算机的一种方式。 在论文《谨防代理僵尸网络:通过通用和可转移的对抗性 HalluSquatting 进行可扩展的非目标提示软件攻击》中,研究人员展示了一种在人工智能模型生成软件存储库和其他在线资源的虚假链接时利用人工智能模型的技术。
研究人员写道:“代理法学硕士应用程序的日益普及带来了一种新的威胁,以前被称为提示软件。” “虽然之前的工作已经确定对手可以利用 LLM 应用程序的直接通道在弱威胁模型下应用提示软件,但许多应用程序不提供任何可用于跨互联网进行提示注入的直接通道。” 这种攻击被称为对抗性幻觉抢占或“HalluSquatting”,涉及预测人工智能模型可能创建哪些虚假资源、注册这些名称并添加恶意指令。如果人工智能代理稍后检索到幻觉资源,它可能会将攻击者控制的内容视为合法内容。 研究人员表示,当人工智能助手超越回答问题并获得与计算机交互的能力(访问文件、搜索网络、编写代码和运行命令)时,威胁就会出现。 当代理在未确认来源是否真实的情况下对检索到的信息采取行动时,这些能力可能会造成安全漏洞。
他们写道:“正在进行的研究已经证明了针对现实世界系统的 Promptware 攻击的各种变体,包括 ChatGPT、Google Assistant、Copilot 和各种其他应用程序。” “这些工作表明 Promptware 可能会导致财务、隐私和安全影响。” 研究人员警告说,该技术可能允许攻击者构建人工智能僵尸网络。僵尸网络是指由攻击者远程控制的受感染计算机或设备组成的网络。僵尸网络通常用于网络攻击,包括拒绝服务攻击、加密货币挖掘、恶意软件分发和勒索软件活动。 在测试中,研究人员发现,在存储库克隆场景中,AI 生成的资源幻觉发生率高达 85%,在技能安装测试中,发生率高达 100%。 该团队针对 AI 编码助手和代理(包括 Cursor、GitHub Copilot、Gemini CLI 和 OpenClaw)评估了该技术。 HalluSquatting 类似于域名抢注,这是一种网络攻击策略,攻击者注册类似于合法网站或软件包的域名来欺骗用户。 HalluSquatting 不是利用人类打字错误,而是针对人工智能模型所犯的错误。
这一消息发布之际,研究人员正在继续测试攻击者如何操纵人工智能代理。 今年 4 月,谷歌研究人员详细介绍了旨在通过间接提示注入攻击劫持 AI 代理的恶意网站,包括尝试窃取密码、删除文件和操纵付款。另一项关于“CopyPasta”攻击的研究表明,开发人员文件中的隐藏提示如何操纵人工智能编码助手传播恶意代码。 6 月份,一名 OpenClaw 用户报告称,攻击者已进行了 6,000 多次尝试,试图诱骗 AI 代理泄露敏感信息。 每日简报时事通讯 每天从当前的热门新闻报道以及原创专题、播客、视频等开始。
In brief
Researchers introduced “Adversarial HalluSquatting,” an attack that exploits AI-generated hallucinations.
The technique tricks AI agents into trusting fake repositories or tools that contain malicious instructions.
Tests against popular AI coding assistants showed the method could lead to remote code execution in controlled experiments.
AI hallucinations may be more than incorrect answers—they could become a way for hackers to compromise computers, according to new research from Tel Aviv University, Technion, and Intuit.
In the paper, “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting,” researchers demonstrated a technique that exploits AI models when they generate fake links to software repositories and other online resources.
“The growing adoption of agentic LLM applications has introduced a new threat previously named as promptware,” the researchers wrote. “While prior work has established that adversaries can exploit direct channels to LLM applications to apply promptware under weak threat models, many applications do not provide any direct channels that could be exploited for prompt injection beyond the Internet.”
Known as adversarial hallucination squatting or “HalluSquatting,” the attack involves predicting which fake resources AI models are likely to create, registering those names, and adding malicious instructions. If an AI agent later retrieves the hallucinated resource, it may treat the attacker-controlled content as legitimate.
The researchers said the threat emerges as AI assistants move beyond answering questions and gain the ability to interact with computers—accessing files, searching the web, writing code, and running commands.
Those abilities can create security gaps when agents act on information they retrieve without confirming whether the source is real.
“Ongoing studies have demonstrated various variants of Promptware attacks against real-world systems, including ChatGPT, Google Assistant, Copilot, and various additional applications,” they wrote. “These works demonstrated that Promptware can lead to financial, privacy, and safety impacts.”
Researchers warned the technique could allow attackers to build AI-enabled botnets. A botnet refers to a network of infected computers or devices controlled remotely by an attacker. Botnets are commonly used in cyberattacks, including denial-of-service attacks, cryptocurrency mining, malware distribution, and ransomware campaigns.
In testing, the researchers found AI-generated resource hallucinations occurred at rates as high as 85% in repository cloning scenarios and 100% in skill installation tests.
The team evaluated the technique against AI coding assistants and agents, including Cursor, GitHub Copilot, Gemini CLI, and OpenClaw.
HalluSquatting is similar to typosquatting, a cyberattack tactic where attackers register domain names resembling legitimate websites or software packages to trick users. Instead of exploiting human typing mistakes, HalluSquatting targets mistakes made by AI models.
The news comes as researchers continue to test how attackers can manipulate AI agents.
In April, Google researchers detailed malicious websites designed to hijack AI agents through indirect prompt injection attacks, including attempts to steal passwords, delete files, and manipulate payments. A separate study on the “CopyPasta” attack showed how hidden prompts inside developer files could manipulate AI coding assistants into spreading malicious code.
In June, an OpenClaw user reported facing more than 6,000 attempts from attackers attempting to trick the AI agent into leaking sensitive information.