AI Agents Can Be Hijacked Into Botnets by Exploiting Their Own Hallucinations, Researchers Warn
Security researchers warn that AI agents' hallucination flaw can be weaponized to install malicious packages, turning autonomous agents into botnet nodes.
Security researchers are warning that the same hallucination behavior that makes large language models fabricate facts can be weaponized to turn autonomous AI agents into botnet nodes — and the threat surface is fundamentally different from the prompt-injection attacks that have dominated headlines so far. According to Decrypt, attackers can exploit an agent’s tendency to confidently reference non-existent software packages, pre-registering those hallucinated dependency names with malicious payloads before the agent ever tries to install them.
The mechanism is deceptively simple. When an AI agent is asked to write or execute code, it often invents library names that sound plausible but don’t actually exist. An attacker who can predict those hallucinated package names — and researchers say they are structurally predictable — registers them on package registries like PyPI or npm with code that does something far worse than crash a script. The agent, operating autonomously, downloads and runs the package without a human ever reviewing it. IBM defines hallucinations as misinterpretations arising from overfitting, training data bias or inaccuracy, and high model complexity. Those same structural flaws make hallucinated package names consistent enough across model runs that attackers can front-run them at scale.
Agents Act — Chatbots Only Talk
This is where the distinction between a chatbot and an agent becomes critical. A chatbot that hallucinates a package name produces a harmless line of text. An agent that hallucinates the same name may actually try to install it. MIT Sloan’s explainer on agentic AI notes that agents differ from chatbots precisely because they can take autonomous actions — executing code, installing packages, browsing the web — without human confirmation at each step. That autonomy, which is the entire commercial pitch for agentic systems, is also the attack surface.
Gen Digital’s February 2026 research blog frames the shift bluntly: “For years, AI risk debates were focused on content: hallucinations, bias and bad advice. That still matters, but agents change the center of gravity.” What the model says versus what the model does — that’s the new fault line. A hallucinated fact in a chat window is embarrassing. A hallucinated dependency in a pipeline that auto-installs it is a remote code execution vector.
Microsoft’s Acknowledgement and the Two-Sided Arms Race
Microsoft has acknowledged the problem on its own terms. A Reddit-cited cybersecurity discussion referencing Microsoft’s admissions notes that the company has confirmed AI agents can hallucinate and fall for attacks. Users in the same thread flag Microsoft’s warning that hackers are now using AI at every stage of cyberattacks — reconnaissance, payload generation, social engineering — creating a two-sided arms race in which offensive and defensive AI capabilities are escalating in parallel. Those are unverified claims from a Reddit thread, but they track with the broader research consensus.
From Curiosity to Systemic Risk: The Botnet Scenario
The botnet scenario is what elevates this from a curiosity to a systemic risk. If multiple AI agents across different organizations and systems are compromised via the same hallucinated-dependency technique, they could theoretically be coordinated as a botnet — a network of hijacked machines acting in concert — without any single user being aware their agent has been turned. The compromised agents continue to perform their nominal tasks while quietly participating in coordinated activity: distributed denial-of-service, credential harvesting, or acting as relay nodes for further attacks. The owner sees a functioning agent. The attacker sees a resource.
The broader attack surface extends beyond package hallucinations. The OpenClaw case, flagged on Facebook and TechJuice, shows a parallel threat: AI agents leaking user data through prompt-injection flaws. That incident illustrates that agentic systems carry multiple overlapping vulnerabilities — hallucinated dependencies, prompt injection, data exfiltration — any one of which can be chained with another.
Crypto’s Concrete Exposure
For crypto markets, the stakes are concrete. DeFi and crypto-native AI agents — trading bots, on-chain automation tools, portfolio managers — are high-value targets for exactly this class of attack. As of July 10, 2026, the Fear & Greed Index sits at 23/100 (Extreme Fear) and total crypto market cap stands at $2,248.26B, with 24-hour volume of $60.99B. In a market already gripped by fear, a botnet of compromised trading agents executing coordinated sell orders or draining wallets would compound the damage rapidly. The technology to build autonomous DeFi agents is shipping faster than the security model to protect them.
Package registries are the choke point. If PyPI, npm and similar platforms begin flagging or quarantining packages whose names match known LLM hallucination patterns, the attack window narrows considerably. Until then, every agent that auto-installs dependencies is a candidate for recruitment.