Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. 'Phantom Squatting': An Emerging AI-Driven Supply Chain Threat
'Phantom Squatting': An Emerging AI-Driven Supply Chain Threat
NEWS

'Phantom Squatting': An Emerging AI-Driven Supply Chain Threat

Palo Alto Networks Unit 42 queried AI models 685,000+ times and found they hallucinate 2.1 million plausible-but-fake domains — attackers are now...

Dylan H.

News Desk

July 5, 2026
5 min read

Palo Alto Networks Unit 42 published research on June 30, 2026 documenting a novel and structurally difficult-to-fix attack vector: phantom squatting. By exploiting the tendency of large language models to hallucinate plausible-but-non-existent domain names and package identifiers, attackers are pre-registering predicted phantom assets before defenders even know they exist — then weaponizing them weeks later.

What Is Phantom Squatting?

Traditional typosquatting relies on human error: a user accidentally types micosoft.com instead of microsoft.com. Phantom squatting is different. It exploits a structural property of LLM architectures — the tendency to generate statistically plausible text rather than factually accurate text.

When you ask an LLM about a brand, a software package, or a security tool, it doesn't retrieve information from a database. It generates a statistically likely-sounding answer. That means it regularly invents domains, package names, and URLs that don't exist — but sound like they should.

Phantom squatting is the practice of identifying which hallucinated names models consistently produce, then registering them as real domains or packages before the real organization does.

Unit 42's Research: The Scale Is Alarming

Unit 42 conducted a systematic study of this phenomenon:

  • They queried two AI models 685,339 times about 913 well-known brands
  • The models produced 2.1 million links in response
  • 13,229 of those links were already flagged as malicious
  • Approximately 250,000 invented domains had no registrant — ready to be claimed

What makes this particularly dangerous is consistency: different models often hallucinate the same fake domain for the same prompt. This predictability turns phantom squatting from opportunistic to systematic. An attacker doesn't need to guess — they can query the model themselves, identify consistently hallucinated domains, and register them in bulk.

A Real-World Case: The Montana Empire Kit

Unit 42 didn't just theorize about this threat — they documented a live exploitation in March 2026.

Researchers predicted that a specific AI model would consistently hallucinate a domain resembling a real postal service marketplace. They noted it as a candidate for phantom squatting.

23 days after the prediction, an attacker registered the hallucinated domain and deployed the Montana Empire phishing kit on it. The kit:

  • Scraped the real postal service storefront in real time to display genuine product listings
  • Captured card numbers, bank transfer details, and national IDs entered by victims
  • Used a Telegram bot for real-time OTP interception and approval
  • Was partially built with an AI coding assistant (confirmed via session logs)

The victim saw a convincing replica of a real storefront. The domain was newly registered with no threat reputation. Blocklists had no history on it. Standard defenses saw nothing.

Related: Slopsquatting in Package Ecosystems

Phantom squatting has a direct analog in software supply chain security: slopsquatting (also called package hallucination). AI coding assistants regularly suggest import statements for packages that don't exist but sound plausible given the task. Attackers monitor these hallucinated package names and publish malicious versions to npm, PyPI, and other repositories under those names.

The PhantomRaven campaign (documented in parallel research) demonstrates the scale of this threat:

  • 126 malicious npm packages were registered using hallucinated package names
  • Those packages accumulated 86,000+ installs before detection
  • Developers trusted the installs because their AI assistant had recommended the package

Why This Threat Is Structurally Hard to Fix

Unit 42 describes phantom squatting as exploiting "a structural property of LLM architectures that remains inherently unpatchable." LLMs generate statistically plausible text — that's what makes them useful. Eliminating hallucinations entirely would require a fundamentally different architecture. Until then:

  • Models will keep inventing domain names
  • Different users querying the same model get the same hallucinated names
  • Attackers can predict which names to register by querying the model themselves

There's no patch, no model update, and no content filter that eliminates this vector.

Defensive Opportunities

Despite the structural challenge, defenders have actionable options — because hallucination consistency is a double-edged sword:

Pre-map hallucinated domains: Organizations can systematically query LLMs about their own brand names and products, identify consistently hallucinated variants, and pre-register or monitor them before attackers do. Unit 42's methodology offers several weeks of lead time in many cases.

Monitor newly registered domains: Phantom squatted domains are newly registered with no history. DNSTWIST, Palo Alto's PDNS, and commercial threat feeds can alert on registrations matching brand patterns — catching weaponization early.

Audit AI-generated code imports: Any package name suggested by an AI coding assistant should be verified against the actual registry before installation. Tools like socket.dev can flag newly published packages matching hallucination patterns.

Developer education: Treat AI-suggested package names as unverified until confirmed against a canonical source. "The AI told me to import it" is not sufficient validation.

Privileged workflow isolation: Agentic AI workflows with no human-in-the-loop are especially vulnerable — an AI agent that browses hallucinated URLs or installs hallucinated packages can compromise an entire pipeline without a human ever noticing.

Phantom squatting is a reminder that AI systems don't just introduce new capabilities — they introduce new attack surfaces. Every place an LLM generates a domain name, a package name, or a URL is a potential phantom squatting opportunity. The organizations that map that surface proactively are the ones who won't be caught off guard by the next Montana Empire.

#supply-chain#ai-hallucination#domain-squatting#Phishing#unit42#npm#PhaaS

Related Articles

Crafty Phishing Campaigns Auto-Adapt to Victim's Device, OS

Phishing kits now fingerprint victims via user-agent headers to deliver OS-specific payloads automatically — device code phishing attacks spiked 1,380% in...

4 min read

FBI Dismantles Massive AI-Powered Chinese Phishing-as-a-Service Operation

The FBI, Google, and Black Lotus Labs jointly dismantled Outsider Enterprise, a massive Chinese phishing-as-a-service platform that operated over one...

5 min read

Europol-Coordinated Action Dismantles Tycoon2FA — 330

An international coalition led by Europol and Microsoft has taken down Tycoon2FA, a phishing-as-a-service platform responsible for 87.5 million phishing...

7 min read
Back to all News