Tech

New AI Security Threats: HalluSquatting, Ghost Approval, and GitLost Explained

AI-generated, human-reviewed.

The latest episode of Security Now revealed three new, deeply concerning security attacks—HalluSquatting, Ghost Approval, and GitLost—that take direct aim at AI agents and coding tools. These attacks highlight why every user and developer leveraging AI systems must understand the evolving threat landscape and adopt stronger security controls.

HalluSquatting: When AI Hallucinations Lead to Mass Exploitation

On Security Now, the discussion focused on HalluSquatting, a new attack where adversaries exploit the tendency of AI models to hallucinate (i.e., make up) the names or locations of resources like code repositories or packages. AI-based code assistants and agents, such as Copilot or Gemini, often can’t reliably confirm where new or trending packages actually exist. When tasked with cloning or installing a resource, they might “invent” a plausible-looking but incorrect repository name and attempt to retrieve it 01:56:03.

Attackers can predict these common hallucinated names, pre-register them, and seed them with malicious instructions—including installing a reverse shell or malware. Because coding agents frequently have high privileges and automatic install rights, this enables attackers to compromise potentially thousands of machines, automatically and at scale, without targeting victims one by one.

HalluSquatting is particularly dangerous because it turns innocent AI mistakes into enormous security risks, weaponizing the AI’s natural gaps in knowledge to build botnets or deploy ransomware on a massive scale 01:59:04.

Ghost Approval: Tricking AI Tools with Symlinks

The episode also covered Ghost Approval, a newly discovered class of vulnerability impacting popular AI coding assistants. Here, attackers exploit symbolic links (symlinks)—special files that point to other files—to make an AI agent believe it is modifying or approving a harmless edit, when in reality it’s writing to a sensitive or unauthorized location 02:01:28.

For example, an AI might propose a code change, ask a human to approve it, and then use a symlink to silently write to a system file outside of the approved working directory. On Security Now, it was explained that this “UI confusion” allows critical information to be hidden from the human reviewer: the user thinks they’re OK’ing a safe change, but the AI’s underlying action is far more dangerous 02:03:00.

Multiple vendors—including Amazon and Google—were found to have this issue in their products. While some have issued fixes, this highlights how old vulnerabilities (like symlink attacks) can resurface in new forms when AI agents are involved.

GitLost: Indirect Prompt Injection Leaks Data from Private Repos

Another key AI threat explored was GitLost, in which attackers use indirect prompt injection to manipulate AI-powered GitHub workflows. In this scenario, any malicious stranger can submit a GitHub issue with hidden commands embedded in natural language text 02:06:26.

If an AI agent with organization-wide permissions responds to the issue, it may read these instructions and unwittingly execute them—leading to critical private data being leaked or actions being performed with elevated rights across both public and private repositories.

According to Security Now, GitLost demonstrates a fundamental design risk in today’s generative AI: the agent’s “context window”—the set of data and instructions it can process—is also its attack surface. If untrusted data isn’t carefully separated from control instructions, attackers can hijack the workflow with zero programming knowledge.

Why These AI Exploits Matter for Every User

A key theme that emerged was that today’s AI agents are often built and integrated with a focus on functionality, not on robust security boundaries. All three attack types—HalluSquatting, Ghost Approval, and GitLost—exploit the fact that AI tools often fail to distinguish cleanly between trusted instructions and untrusted data, or blindly trust information supplied by third parties. As a result, legacy security problems (like typo-squatting and symlinks) can now be automated and scaled up using AI, turning “classic” attacks into existential problems for organizations.

What You Need to Know

  • HalluSquatting: Attackers register repos/packages with names AI tools are likely to hallucinate, leading to widespread, silent infections.
  • Ghost Approval: AI agents writing via symlinks can trick users into approving changes that target sensitive system areas.
  • GitLost: Anyone can use hidden instructions inside a GitHub issue to make AI agents access or leak data from restricted repos.
  • AI security controls, review processes, and context isolation must dramatically improve to handle this new era of attacks.
  • Classic vulnerabilities are returning in unexpected AI-powered forms—threats are evolving as fast as defenses.
  • Organizations must treat any AI agent with write or admin access as a highly privileged component, subject to the same—or heightened—scrutiny as traditional admin tools.

The Bottom Line

According to Security Now, these new attack techniques—HalluSquatting, Ghost Approval, and GitLost—are proof that AI’s promise comes with serious new risks. Developers, security teams, and end users should be wary of overtrusting AI agents, insist on strict boundaries between code, instructions, and data, and keep up with patches and research as the field evolves.

For more in-depth analysis of today’s most pressing AI and security issues, subscribe to Security Now: https://twit.tv/shows/security-now/episodes/1087

All Tech posts