Unit 42 has uncovered a novel and active software supply chain attack vector termed 'Phantom Squatting.' This threat leverages the tendency of Large Language Models (LLMs) to hallucinate non-existent web domains, which adversaries then register to intercept traffic and compromise users. Our research confirms that this is not a theoretical risk but an ongoing attack pattern observed in the wild. Attackers are weaponizing AI-generated misinformation to bypass traditional security measures that rely on historical reputation data. A key finding includes the discovery of a phishing kit named Montana Empire, which was deployed on a phantom domain predicted by our systems weeks in advance. With over 250,000 unregistered phantom domains discovered, the attack surface is vast and growing. This report details the phantom squatting lifecycle, assesses its impact on the software supply chain, and provides actionable recommendations for detection and mitigation.
Phantom squatting represents a significant evolution in supply chain attacks, shifting the focus from traditional artifacts like tampered packages to the very fabric of AI-assisted development. As LLMs become integrated into developer workflows and CI/CD pipelines, they are treated as trusted sources of information. Developers and automated systems often accept LLM-generated output, including URLs for documentation, API endpoints, and service configurations, without verification.
This trust creates a critical vulnerability. When an LLM hallucinates a domain—for example, suggesting api.build-notifier.io for a CI/CD webhook—it may be entirely fictitious. An adversary who has proactively registered this domain can intercept sensitive data, such as build telemetry or secrets. The core of the threat lies in this 'zero-reputation bypass.' A phantom domain, at the moment of its weaponization, has no negative history, is not on any blocklist, and its content is newly generated, rendering conventional threat intelligence and reputation scoring ineffective. The LLM, in effect, becomes an unwitting accomplice, laundering the reputation of a malicious domain by presenting it as authoritative.
The phantom squatting attack lifecycle consists of four primary phases:
This attack pattern leverages several MITRE ATT&CK techniques:
T1589.002 - Gather Victim Organization Information: Software: Adversaries probe LLMs to discover what phantom domains are associated with a target organization's software and services.T1583.001 - Acquire Infrastructure: Domains: The core of the attack involves registering the hallucinated domains.T1608 - Stage Capabilities: Setting up the malicious infrastructure (phishing sites, data interception servers) on the phantom domains.T1588.006 - Obtain Capabilities: Web Services: The case of the Montana Empire phishing kit shows attackers using AI coding assistants to build their malicious tools, demonstrating a full AI-driven attack cycle.T1566.002 - Phishing: Spearphishing Link: The LLM acts as the delivery mechanism for the malicious link, lending it an air of legitimacy that traditional phishing emails lack.T1204.002 - User Execution: Malicious Link: The end-user or automated system clicks the link or executes the HTTP request provided by the trusted LLM.The impact of phantom squatting on an organization can be severe, extending deep into the software supply chain.
The scale of the problem is significant. Unit 42's analysis of 913 global brands across two LLM models generated 2.1 million URLs, revealing over 13,229 confirmed malicious URLs and approximately 250,000 unregistered (and thus exploitable) phantom domains.
The source article discusses the discovery of over 13,229 malicious URLs but does not provide a specific list of Indicators of Compromise (IOCs).
Security teams may want to hunt for the following patterns, which could indicate related activity:
HTTP requests to unexpected or non-standard URLs, especially those recommended by integrated AI assistants.curl, wget, git) making connections to unknown domains.Detecting and responding to phantom squatting requires a shift away from purely reputation-based defenses.
Mitigating phantom squatting requires a multi-layered approach that combines proactive measures with robust technical controls.
Filter web traffic from developer and CI/CD environments, blocking access to newly registered or uncategorized domains that may be used for phantom squatting.
Implement strict egress filtering for build servers and developer environments to prevent unauthorized outbound connections to adversary-controlled infrastructure.
Mapped D3FEND Techniques:
Educate developers about the risk of LLM hallucinations and instill a security-conscious practice of verifying all URLs and code snippets from AI assistants.
To counter phantom squatting, organizations must implement stringent outbound traffic filtering, especially for CI/CD pipelines and developer environments. The default policy should be 'deny all,' with an explicit allowlist for known-good destinations required for builds, package management, and API calls. For CI/CD runners, this allowlist should be dynamically configured based on the project's declared dependencies, minimizing the attack surface. For developer workstations, use a combination of proxy servers and endpoint agents to enforce policies. Configure alerting for any connection attempt that violates the policy, as this could indicate a developer has received a malicious URL from an LLM. This technique directly mitigates the 'Interception' phase of the phantom squatting attack by preventing the initial connection to the adversary's server, even if a developer trusts and clicks a malicious link.
Traditional URL blocklists are ineffective against phantom squatting's 'zero-reputation bypass.' Therefore, a dynamic URL analysis capability is critical. This should be deployed at the network edge, in web proxies, and via browser extensions for developers. The system must analyze URLs in real-time, considering factors beyond reputation. Key signals for detecting phantom domains include: domain age (block or flag domains registered within the last 30-60 days), registrar information, syntactic similarity to legitimate brand domains (detecting slopsquatting), and lack of historical DNS records. Integrating this with an AI Security Posture Management (ASPM) tool can allow for the proactive scanning of any URL generated by an LLM before it is presented to the user. This creates a crucial verification layer between the LLM and the developer, effectively identifying and neutralizing the malicious link before it can be trusted or clicked.
Since phantom squatting attacks begin with no reputation, behavioral detection through Network Traffic Analysis (NTA) is essential. Deploy NTA sensors to monitor traffic from developer subnets and CI/CD environments. Establish a baseline of normal network behavior, including typical destinations, protocols, and data volumes. Hunt for anomalies such as: connections to domains never seen before in the organization's traffic, DNS queries for domains with unusually high entropy or similarity to internal services, and unexpected data transfers from build agents to external endpoints. By focusing on deviations from the established baseline, NTA can detect the initial connection to a phantom domain and trigger an alert for investigation, providing a critical detection opportunity where reputation-based systems fail.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.