VYPR
researchPublished Jul 1, 2026· 1 source

Phantom Squatting: AI Hallucinations Create New Software Supply Chain Threat

Attackers are weaponizing Large Language Models' tendency to invent non-existent domains, creating a new 'phantom squatting' threat vector targeting software supply chains.

The software supply chain, long a target for attackers, is facing a novel threat vector stemming from the very tools designed to accelerate development: Large Language Models (LLMs). Researchers at Unit 42 have identified a technique dubbed "phantom squatting," where adversaries exploit the tendency of LLMs to "hallucinate" or invent non-existent web domains for legitimate brands. Attackers then register these hallucinated domains, creating an opportunity to intercept traffic intended for legitimate services or inject malicious code into development pipelines.

This new attack surface arises because LLMs are increasingly integrated into the software development lifecycle. Developers and AI coding assistants consult these models for information, including documentation links and API endpoints. When an LLM generates a URL for a service, developers may trust and integrate it into their code or CI/CD pipelines without independent verification. This effectively turns the LLM into a trusted, yet potentially compromised, dependency within the software supply chain. For instance, an AI assistant might recommend a webhook URL for a build notification system, which could be a fictitious domain registered by an attacker to capture sensitive build telemetry or secrets.

Phantom squatting extends the concept of "slopsquatting," where LLMs hallucinate non-existent software package names. In phantom squatting, the hallucination targets web infrastructure. The scenarios are diverse: a coding assistant might generate a plausible but unregistered URL for an employee benefits portal, which an attacker could preemptively register. Alternatively, an AI research agent might produce a fictitious banking portal domain that an attacker could have already claimed to capture user credentials. The core risk lies in the LLM's output being treated as authoritative, directing legitimate traffic to malicious infrastructure.

Traditional security defenses, such as URL filtering and threat intelligence feeds, often struggle to detect phantom squatting. These systems typically rely on established threat intelligence, historical data, or observed malicious activity to identify risks. A newly registered phantom domain, however, possesses none of these indicators. It has no threat intelligence history, no accumulated reputation score, and no entries on blocklists. This zero-reputation characteristic allows attackers to weaponize these domains effectively before conventional security measures can even recognize them as a threat.

Unit 42's research involved analyzing 913 global brands and executing millions of URL queries across different LLM configurations. This analysis confirmed the prevalence of domain hallucinations, identifying over 13,000 confirmed malicious URLs and approximately 250,000 hallucinated domains that remain unregistered. The proactive monitoring by Unit 42 researchers even predicted the registration of high-risk hallucinated domains between 18 to 51 days in advance.

A particularly concerning real-world case highlighted the full cycle of this threat. An attacker used an AI coding assistant to develop a phishing kit named "Montana Empire." This kit targeted a domain that Unit 42's detection pipeline had identified as a high-risk hallucination target just 23 days prior, demonstrating the rapid weaponization of AI-generated vulnerabilities.

Palo Alto Networks customers are protected through products like Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, Prisma AIRS, and Koi Agentic Endpoint Security. The Unit 42 AI Security Assessment service is also available to help organizations navigate the complexities of secure AI adoption and development.

The emergence of phantom squatting underscores a critical shift in the cybersecurity landscape. As AI becomes more deeply embedded in development workflows, the attack surface expands beyond traditional vulnerabilities to encompass the very outputs generated by these intelligent systems. Organizations must adapt their security strategies to account for these AI-driven threats, focusing on verification, monitoring, and robust defenses against novel supply chain attack vectors.

Synthesized by Vypr AI