Phantom Squatting Emerges as a New AI-Driven Software Supply Chain Threat
What happened
Cybersecurity researchers have identified a new attack technique called phantom squatting, where threat actors register nonexistent web domains that large language models (LLMs) mistakenly generate for legitimate organizations. The research, published by Palo Alto Networks’ Unit 42, found that AI models frequently hallucinate plausible but unregistered domains, creating new opportunities for attackers to intercept users and automated systems.
Unit 42 analyzed 913 global brands using more than 685,000 URL queries and discovered approximately 250,000 hallucinated domains. Researchers also identified thousands of malicious URLs already associated with legitimate brands, highlighting how AI-generated inaccuracies can become part of the software supply chain risk.
Researchers observed attackers registering high-risk hallucinated domains within weeks of their discovery. In one notable case, a phishing campaign known as “Montana Empire” targeted a hallucinated postal service domain. According to the research, the attacker used an AI coding assistant to build a complete phishing kit, including a cloned storefront, backend infrastructure, and Telegram-based command-and-control capabilities before launching credential theft attacks.
Security engineer and Detectify co-founder Johan Edholm warned that phantom squatting differs from traditional typosquatting because attackers exploit domains invented by AI rather than user typing mistakes. As AI assistants become more widely trusted, these fabricated domains may appear legitimate to both employees and automated systems.
Who is affected
Organizations that rely on AI assistants, coding tools, research agents, or autonomous workflows are the most exposed. Developers may unknowingly embed AI-generated API endpoints into applications, while employees could be directed to fake corporate portals, banking sites, or internal services.
Enterprises integrating LLMs into software development, IT operations, and business workflows face increased software supply chain risk because AI-generated recommendations may point users or systems toward attacker-controlled infrastructure.
Why CISOs should care
Phantom squatting introduces a new supply chain risk that does not rely on traditional phishing emails or user mistakes. Instead, malicious domains gain credibility because they are recommended by trusted AI systems.
The threat is especially concerning as organizations give AI agents greater autonomy. Future attacks could move beyond misleading users to automated systems interacting directly with attacker-controlled infrastructure without human approval. Traditional domain reputation tools may also struggle because newly registered phantom domains often have no known malicious history.
3 practical actions
Verify AI-generated URLs and API endpoints against approved documentation or internal allowlists before they are used.
Restrict AI assistants and autonomous agents from accessing arbitrary external domains without validation.
Limit the permissions, credentials, and sensitive data available to AI-powered systems to reduce the impact of compromised connections.


