ブログ
/
AI
/
October 30, 2023

Exploring AI Threats: Package Hallucination Attacks

Learn how malicious actors exploit errors in generative AI tools to launch packet attacks. Read how Darktrace products detect and prevent these threats!
Written by
Charlotte Thompson
Cyber Analyst
Written by
Tiana Kelly
Senior Cyber Analyst & Team Lead
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Charlotte Thompson
Cyber Analyst
Written by
Tiana Kelly
Senior Cyber Analyst & Team Lead
Default blog image
30
Oct 2023

AI tools open doors for threat actors

On November 30, 2022, the free conversational language generation model ChatGPT was launched by OpenAI, an artificial intelligence (AI) research and development company. The launch of ChatGPT was the culmination of development ongoing since 2018 and represented the latest innovation in the ongoing generative AI boom and made the use of generative AI tools accessible to the general population for the first time.

ChatGPT is estimated to currently have at least 100 million users, and in August 2023 the site reached 1.43 billion visits [1]. Darktrace data indicated that, as of March 2023, 74% of active customer environments have employees using generative AI tools in the workplace [2].

However, with new tools come new opportunities for threat actors to exploit and use them maliciously, expanding their arsenal.

Much consideration has been given to mitigating the impacts of the increased linguistic complexity in social engineering and phishing attacks resulting from generative AI tool use, with Darktrace observing a 135% increase in ‘novel social engineering attacks’ across thousands of active Darktrace/Email™ customers from January to February 2023, corresponding with the widespread adoption of ChatGPT and its peers [3].

Less overall consideration, however, has been given to impacts stemming from errors intrinsic to generative AI tools. One of these errors is AI hallucinations.

What is an AI hallucination?

AI “hallucination” is a term which refers to the predictive elements of generative AI and LLMs’ AI model gives an unexpected or factually incorrect response which does not align with its machine learning training data [4]. This differs from regular and intended behavior for an AI model, which should provide a response based on the data it was trained upon.  

Why are AI hallucinations a problem?

Despite the term indicating it might be a rare phenomenon, hallucinations are far more likely than accurate or factual results as the AI models used in LLMs are merely predictive and focus on the most probable text or outcome, rather than factual accuracy.

Given the widespread use of generative AI tools in the workplace employees are becoming significantly more likely to encounter an AI hallucination. Furthermore, if these fabricated hallucination responses are taken at face value, they could cause significant issues for an organization.

Use of generative AI in software development

Software developers may use generative AI for recommendations on how to optimize their scripts or code, or to find packages to import into their code for various uses. Software developers may ask LLMs for recommendations on specific pieces of code or how to solve a specific problem, which will likely lead to a third-party package. It is possible that packages recommended by generative AI tools could represent AI hallucinations and the packages may not have been published, or, more accurately, the packages may not have been published prior to the date at which the training data for the model halts. If these hallucinations result in common suggestions of a non-existent package, and the developer copies the code snippet wholesale, this may leave the exchanges vulnerable to attack.

Research conducted by Vulcan revealed the prevalence of AI hallucinations when ChatGPT is asked questions related to coding. After sourcing a sample of commonly asked coding questions from Stack Overflow, a question-and-answer website for programmers, researchers queried ChatGPT (in the context of Node.js and Python) and reviewed its responses. In 20% of the responses provided by ChatGPT pertaining to Node.js at least one un-published package was included, whilst the figure sat at around 35% for Python [4].

Hallucinations can be unpredictable, but would-be attackers are able to find packages to create by asking generative AI tools generic questions and checking whether the suggested packages exist already. As such, attacks using this vector are unlikely to target specific organizations, instead posing more of a widespread threat to users of generative AI tools.

Malicious packages as attack vectors

Although AI hallucinations can be unpredictable, and responses given by generative AI tools may not always be consistent, malicious actors are able to discover AI hallucinations by adopting the approach used by Vulcan. This allows hallucinated packages to be used as attack vectors. Once a malicious actor has discovered a hallucination of an un-published package, they are able to create a package with the same name and include a malicious payload, before publishing it. This is known as a malicious package.

Malicious packages could also be recommended by generative AI tools in the form of pre-existing packages. A user may be recommended a package that had previously been confirmed to contain malicious content, or a package that is no longer maintained and, therefore, is more vulnerable to hijack by malicious actors.

In such scenarios it is not necessary to manipulate the training data (data poisoning) to achieve the desired outcome for the malicious actor, thus a complex and time-consuming attack phase can easily be bypassed.

An unsuspecting software developer may incorporate a malicious package into their code, rendering it harmful. Deployment of this code could then result in compromise and escalation into a full-blown cyber-attack.

Figure 1: Flow diagram depicting the initial stages of an AI Package Hallucination Attack.

For providers of Software-as-a-Service (SaaS) products, this attack vector may represent an even greater risk. Such organizations may have a higher proportion of employed software developers than other organizations of comparable size. A threat actor, therefore, could utilize this attack vector as part of a supply chain attack, whereby a malicious payload becomes incorporated into trusted software and is then distributed to multiple customers. This type of attack could have severe consequences including data loss, the downtime of critical systems, and reputational damage.

How could Darktrace detect an AI Package Hallucination Attack?

In June 2023, Darktrace introduced a range of DETECT™ and RESPOND™ models designed to identify the use of generative AI tools within customer environments, and to autonomously perform inhibitive actions in response to such detections. These models will trigger based on connections to endpoints associated with generative AI tools, as such, Darktrace’s detection of an AI Package Hallucination Attack would likely begin with the breaching of one of the following DETECT models:

  • Compliance / Anomalous Upload to Generative AI
  • Compliance / Beaconing to Rare Generative AI and Generative AI
  • Compliance / Generative AI

Should generative AI tool use not be permitted by an organization, the Darktrace RESPOND model ‘Antigena / Network / Compliance / Antigena Generative AI Block’ can be activated to autonomously block connections to endpoints associated with generative AI, thus preventing an AI Package Hallucination attack before it can take hold.

Once a malicious package has been recommended, it may be downloaded from GitHub, a platform and cloud-based service used to store and manage code. Darktrace DETECT is able to identify when a device has performed a download from an open-source repository such as GitHub using the following models:

  • Device / Anomalous GitHub Download
  • Device / Anomalous Script Download Followed By Additional Packages

Whatever goal the malicious package has been designed to fulfil will determine the next stages of the attack. Due to their highly flexible nature, AI package hallucinations could be used as an attack vector to deliver a large variety of different malware types.

As GitHub is a commonly used service by software developers and IT professionals alike, traditional security tools may not alert customer security teams to such GitHub downloads, meaning malicious downloads may go undetected. Darktrace’s anomaly-based approach to threat detection, however, enables it to recognize subtle deviations in a device’s pre-established pattern of life which may be indicative of an emerging attack.

Subsequent anomalous activity representing the possible progression of the kill chain as part of an AI Package Hallucination Attack could then trigger an Enhanced Monitoring model. Enhanced Monitoring models are high-fidelity indicators of potential malicious activity that are investigated by the Darktrace analyst team as part of the Proactive Threat Notification (PTN) service offered by the Darktrace Security Operation Center (SOC).

Conclusion

Employees are often considered the first line of defense in cyber security; this is particularly true in the face of an AI Package Hallucination Attack.

As the use of generative AI becomes more accessible and an increasingly prevalent tool in an attacker’s toolbox, organizations will benefit from implementing company-wide policies to define expectations surrounding the use of such tools. It is simple, yet critical, for example, for employees to fact check responses provided to them by generative AI tools. All packages recommended by generative AI should also be checked by reviewing non-generated data from either external third-party or internal sources. It is also good practice to adopt caution when downloading packages with very few downloads as it could indicate the package is untrustworthy or malicious.

As of September 2023, ChatGPT Plus and Enterprise users were able to use the tool to browse the internet, expanding the data ChatGPT can access beyond the previous training data cut-off of September 2021 [5]. This feature will be expanded to all users soon [6]. ChatGPT providing up-to-date responses could prompt the evolution of this attack vector, allowing attackers to publish malicious packages which could subsequently be recommended by ChatGPT.

It is inevitable that a greater embrace of AI tools in the workplace will be seen in the coming years as the AI technology advances and existing tools become less novel and more familiar. By fighting fire with fire, using AI technology to identify AI usage, Darktrace is uniquely placed to detect and take preventative action against malicious actors capitalizing on the AI boom.

Credit to Charlotte Thompson, Cyber Analyst, Tiana Kelly, Analyst Team Lead, London, Cyber Analyst

References

[1] https://seo.ai/blog/chatgpt-user-statistics-facts

[2] https://darktrace.com/news/darktrace-addresses-generative-ai-concerns

[3] https://darktrace.com/news/darktrace-email-defends-organizations-against-evolving-cyber-threat-landscape

[4] https://vulcan.io/blog/ai-hallucinations-package-risk?nab=1&utm_referrer=https%3A%2F%2Fwww.google.com%2F

[5] https://twitter.com/OpenAI/status/1707077710047216095

[6] https://www.reuters.com/technology/openai-says-chatgpt-can-now-browse-internet-2023-09-27/

執筆者
Charlotte Thompson
Cyber Analyst
執筆者
Tiana Kelly
Senior Cyber Analyst & Team Lead
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Charlotte Thompson
Cyber Analyst
Written by
Tiana Kelly
Senior Cyber Analyst & Team Lead

中国系APTキャンペーン、アップデートされたFDMTPバックドアで企業を狙う

Network
May 14, 2026
Tara Gould
Malware Research Lead
Watch the NIS2 Webinar
よく読まれているブログ
1
ダークトレース、2026年度Gartner® CPS Protection Platforms部門のMagic Quadrant™ において唯一のVisionaryの評価を受ける
Mar 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
さらに読む
AI
May 28, 2026

From Efficiency to Exposure: How AI Adoption Is Creating Unseen Vulnerabilities on the Factory Floor

Manufacturing organizations are rapidly adopting AI agents and autonomous systems to improve efficiency, productivity, and operational resilience, but these technologies are also introducing new cyber and operational risks. This blog explores how AI-driven threats, limited visibility into agent activity, and evolving attack techniques are reshaping manufacturing security, and why visibility, behavioral context, and embedded guardrails are becoming essential foundations for securing both IT and OT environments.
Oakley Cox
Director of Product
Read more
AI
May 27, 2026

How to Evaluate AI Vendors: 5 Key categories for AI Adoption

Buying AI cybersecurity tools requires more than evaluating features and marketing claims. This blog explores the challenges security teams face when assessing AI vendors, outlines five critical categories for AI evaluation, and explains how governance, transparency, model selection, and validation impact trust, adoption, and long-term security outcomes.
Jamie Bali
Technical Author (AI) Developer
Read more
AI
May 20, 2026

Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches

AI agents are transforming enterprise productivity, but they are also expanding the attack surface in new ways. This blog explores the benefits and challenges surrounding prompt security, where AI risk emerges across connected systems and autonomous actions, and how organizations can build a broader strategy to secure AI across the enterprise.
Jamie Bali
Technical Author (AI) Developer
Read more

Blog

/

Proactive Security

/

June 1, 2026

Defend What You Trust: Stories from the Front Lines of Modern Cyber Defense

Default blog imageDefault blog image

Modern attacks don’t always announce themselves, follow obvious patterns, or rely on known malware. Often, they move quietly inside trusted systems, authenticated sessions, and everyday behavior.

They don’t break in. They blend in.

That’s why an AI-powered defense is essential. It turns invisible signals into actionable insights at a scale neither analysts nor traditional tools can achieve alone.

Confidence is creating risk

One of the most dangerous assumptions in cybersecurity today is that strong controls equal strong protection.

Multi-factor authentication (MFA), for example, is widely viewed as a foundational safeguard. But as the CISO for a professional sports organization explains, that confidence can be misplaced. “A lot of organizations assume that once you have MFA, those accounts are safe. That’s not true.”

In one instance, his team identified a sophisticated attack where a threat actor bypassed MFA entirely, not by breaking it, but by going around it. A user’s authenticated session was hijacked and re-used, allowing the attacker to impersonate them without triggering traditional controls.

“Darktrace picked up that a session had been re-injected by the hacker, and we were able to block it right away,” he explains.

Attackers anticipate what we miss

Even well-trained users can become entry points.

“An email bypassed our existing security tools,” shares the VP of IT at a U.S.-based risk management services provider.  “The user missed one signal and entered their credentials into a malicious site. That’s what the bad guys count on.”

The organization responded quickly, but not before damage was done. Crucially, this occurred while Darktrace was in “watch mode,” before autonomous response was fully enabled. “Darktrace would have seen that and shut it down immediately,” he notes.

Mistakes and oversights like misconfigurations, forgotten machines, and missed patches can create serious vulnerabilities.

The CIO of a utility services organization shares an instance when Darktrace detected a breach to a client’s network via their ZTNA VPN due to misconfigured MFA. “Darktrace alerted us and autonomously blocked the scanning, preventing what could have been a ransomware-type incident.”  

The most dangerous threats are already inside

The Head of Security at a global business services provider knows firsthand how blind spots can persist inside environments. His team uncovered evidence of dormant ransomware artifacts sitting unnoticed within a company’s environment ¬¬– long before modern detection was in place.

“During a routine file transfer, Darktrace flagged the suspicious activity, identified the ransomware, and immediately quarantined the server,” he recalls.  While the attack was never executed, the implication was significant: the risk existed long before it was finally detected.

Cyber threats are also successful because they take advantage of normal human behavior, exploiting moments of cognitive overload, urgency, and trust.

The Executive Director of IT and Business Applications at a pharmaceutical lab describes the time Darktrace flagged an employee logging into Microsoft 365 from Singapore, despite him being physically located in the U.S. Darktrace immediately cut off his access and within minutes revealed that the employee’s son was using a VPN to play a video game.

While the threat was benign, it demonstrated the strength of AI to use contextual information to detect threats other tools miss. The information also saved security analysts hours of investigation and minimized downtime for the employee. “That level of precision and speed isn’t just convenient, it’s game changing.”

“Unusual” behavior is the new red flag

Detecting modern threats requires an understanding of what “normal” looks like and recognizing when something subtly deviates.

One security leader  at an AI technology enterprise described a scenario in which an employee connected to a proxy service in China. The service itself was legitimate, and although traditional tools didn’t flag it, the behavior was unusual for that user specifically.

“That’s what Darktrace picked up on. The activity turned out to be benign, but without visibility into behavioral deviations, it could just as easily have been something more serious.”

AI shifts defense from reaction to anticipation

These stories point to a fundamental shift by cyber attackers, both tactically and strategically. Because traditional security tools were built to detect what’s already known, modern attacks are often:

  • Credential-based, not malware-based
  • Behavioral, not signature-based
  • Subtle, not overt

They may operate within the boundaries of what appears normal, exploiting what organizations trust, not what they block:

  • Trusted sessions
  • Legitimate services
  • Human error

This is where AI is changing the equation. Rather than relying on predefined rules or known threat signatures, AI can:

  • Establish a baseline of normal behavior
  • Detect subtle anomalies in real time
  • Act autonomously to contain potential threats

Resilience, not perfection, is the new security standard

As these frontline experiences show, the organizations that lead are those that move beyond reactive defense and embrace AI as a core part of their strategy.

It eliminates the blind spots and uncertainty, says the CISO of a professional sports organization. “If you lack visibility, you’re not managing risk, you’re assuming it. AI gives you the actionable insights needed to turn uncertainty into control.”

And it provides the speed and agility that are vital when seconds matter, says the Executive Director of IT and Business Applications. “When Darktrace alerted us at 3:00 am to a ransomware attack, it had already quarantined the affected systems, blocked the attacker’s access, and provided us with the critical details and time needed to investigate. That action likely saved us hundreds of thousands, if not millions, of dollars.”

The modern SOC has become a cornerstone of enterprise resilience, responsible for protecting data and operational continuity while enabling digital growth and innovation. For today’s security professional, that means success is no longer measured by what they keep out, but by what they protect: revenue, reputation, and trust.

Continue reading
About the author

Blog

/

AI

/

May 28, 2026

From Efficiency to Exposure: How AI Adoption Is Creating Unseen Vulnerabilities on the Factory Floor

Default blog imageDefault blog image

How AI agents impact the manufacturing industry

Security teams and IT personnel across the manufacturing industry are under constant pressure to protect production, maintain uptime, and safeguard critical assets but the rise of AI is bringing huge new opportunities alongside new cyber risks. Across manufacturing, AI is embedded into workflows, decision-making, and increasingly, autonomous AI agents are acting on behalf of employees and systems.  

Agentic systems are powerful because they can act independently, but that same autonomy also creates cyber and operational risk. Agents have extensive permissions and are capable of carrying out complex tasks, making decisions, and interacting with tools or external systems with little to no human intervention.

Unlike traditional AI models that perform predefined tasks, AI agents use advanced techniques to mimic human decision-making processes, dynamically adapting to new challenges, making decision and taking action based on their own judgement. They look like employees operationally but lack judgment, ethics, or fear of consequences like humans do. This means they can be easily manipulated by cybercriminals, and an AI agent embedded across an OT network creates threats that extend well beyond data exposure. For example, at BMW, AI identifies faults in welding processes as they occur. At its Spartanburg plant, AI monitors the weld of 300-400 metal studs onto every SUV frame to detect misplaced or faulty studs and correct them instantly. Corruption of BMW’s AI system could lead to catastrophic quality control errors.

Adopting agentic AI systems across manufacturing raises some concerns across security teams. New data from our State of AI Cybersecurity survey shows that 78% of manufacturing security professionals are worried about employee use of AI agents – their top concern. That’s followed by employee use of generative AI tools like CoPilot and ChatGPT, a worry for 76% of security professionals at manufacturing organizations. As these tools gain more access to business data and processes, and more autonomy within organizations, security teams, who today have minimal visibility of agent activity in their environments, increasingly have sensitive data exposure (a worry for 60%) and accidental policy and regulatory violations (59%) on their minds.

External AI-powered threats are evolving just as quickly

The same capabilities transforming manufacturing are also reshaping cyberattacks.

AI is enabling attackers to automate reconnaissance, refine targeting, and adapt in real time. What once required time and manual effort can now be executed continuously and at scale. Manufacturers are already seeing the impact. According to manufacturing security professionals we surveyed, 76% are already being impacted by AI-powered threats and 90% see AI increasing the success of social engineering attacks.

And the techniques themselves are evolving. Concerns across the manufacturing sector show growing anxiety about the range of AI-powered attack routes, most pressingly of adaptive malware that evolves in real-time – a prospect half (49%) of manufacturing security professionals we surveyed are worried by, a full 9% more than the average across industries. AI adaptive malware is followed by:

  • Automated vulnerability scanning and exploit chaining (48%) which has become even more pressing as Anthropic’s new Mythos AI Model supercharges vulnerability discovery
  • Hyper-personalized phishing campaigns (46%), which remain a mainstay in hackers’ arsenals, and AI has amplified their effectiveness by making phishing emails more convincing and harder to detect.

This is not just an increase in volume, it is a shift toward threats that evolve as they unfold - often faster than static defenses can respond.

Despite rising awareness, many manufacturers are not yet equipped to manage this shift. More than half (51%) say they are not adequately prepared for AI-driven threats, and only 37% have formal policies governing AI deployment.  

Securing AI through visibility, context, and guardrails

Addressing this challenge does not require manufacturers to slow innovation. It requires a different approach to security, one that can operate at the same speed and scale as AI. Three specific priorities are emerging for manufacturers looking to take advantage of the power of AI.

Visibility is foundational.  

Organizations need to understand where AI is being used, what it can access, and how it behaves across both IT and OT environments. Without that, risk cannot be measured or managed. It is no surprise that Darktrace’s research found that 91% of manufacturing security professionals said that they need to understand how AI makes decisions before trusting it. This is even more critical in operational settings where disruption has safety, environmental, financial, and reputational impacts.

Context is what turns visibility into action.  

In environments shaped by AI, normal behavior is constantly shifting. Detecting threats requires a behavioral approach; understanding patterns of life across the organization and identifying subtle deviations in real time – a step change in organizations’ traditional approach to security and risk management.

Guardrails ensure that agency does not become exposure  

As AI systems take on greater responsibility, organizations need clear boundaries around what they can do and when they can act independently. These controls must be embedded into systems themselves, not applied after the fact.  

Securing AI Agents Across Manufacturing IT and OT

The rise of agentic AI is transforming manufacturing - powering next-generation operations while reshaping the security landscape. This is not just an increase in threats, but a shift to autonomous systems, continuously evolving behaviors, and risks moving at machine speed. For organizations trying to grapple with the challenge of enabling AI while managing the risk, visibility, context and guardrails should be foundational.

Darktrace helps manufacturers build secure AI approaches by making those foundations possible. It provides visibility and real-time detection and response to unusual activity across IT and OT environments and allows organizations to understand AI activity from the prompts employees use and the agents they build to how those agents are behaving across the environment. For manufacturers scaling AI, this delivers a foundation for innovation without sacrificing control.

Continue reading
About the author
Oakley Cox
Director of Product
あなたのデータ × DarktraceのAI
唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ