Researchers have discovered a new type of attack called "illusion invasion," where AI agents may be exploited to form a botnet
According to Decrypt, researchers from Tel Aviv University, the Technion - Israel Institute of Technology, and Intuit have discovered a new type of attack method called "adversarial illusion injection." This technique exploits the illusion phenomenon of AI models to trick AI agents into downloading malicious code and potentially forming a botnet.
Attackers predict the false resource links that AI models might generate and register them in advance, embedding malicious instructions within. When the AI agent retrieves the resource, it treats it as legitimate content and executes it. Tests show that the illusion occurrence rate in code repository cloning scenarios reaches 85%, and in skill installation scenarios, it reaches 100%. AI coding assistants such as Cursor, GitHub Copilot, Gemini CLI, and OpenClaw are all affected. This attack is similar to "typo-squatting" in traditional cyberattacks, but it targets the errors of AI models rather than human input errors. Previous research has shown that malicious websites can inject prompts to hijack AI agents, and OpenClaw users have reported over 6,000 attempts to trick AI agents into leaking sensitive information.






