Researchers at Palo Alto Networks Unit 42 have uncovered a new twist on software supply chain attacks, one that turns the AI coding assistants developers rely on into unwitting traffic funnels for attacker controlled infrastructure. The technique, which the team calls phantom squatting, exploits a well documented quirk of large language models: they routinely invent, or hallucinate, web addresses for real companies that do not actually exist. Attackers are now registering those made up domains and waiting for the AI to send victims their way.
The problem matters because LLMs have quietly become a supply chain dependency of their own. Developers ask AI assistants for documentation links, API endpoints, and webhook URLs, then paste the answers straight into production code or CI/CD pipelines. When a model confidently returns something like hxxps://api[.]build-notifier[.]io/v1/pipeline/events, few people stop to check whether the domain is real. If an attacker has already registered it, that build telemetry, or worse the secrets attached to it, flows straight to them.
What Unit 42 found
To measure the scale, the researchers ran 685,339 URL queries against two different LLMs across 913 global brands, generating roughly 2.1 million URLs. They confirmed more than 13,229 malicious URLs already in play and, more alarmingly, about 250,000 hallucinated domains that remain unregistered, sitting unclaimed for any adversary to grab. Because the same model produces the same hallucinations over and over, the team could predict which domains attackers would target between 18 and 51 days before the attackers actually registered them.
A phishing kit built by AI
One case ties the whole loop together. An attacker used an AI coding assistant to build a complete phishing kit that Unit 42 nicknamed Montana Empire, then aimed it at a domain the researchers own pipeline had flagged as a high risk hallucination target 23 days earlier. In that instance the operator had even staged the phishing server before registering the domain, showing how tight the window has become. In observed cases, domains went from fresh registration to live malicious content within hours.
How the attack works
Unit 42 breaks the technique into four phases. Attackers first probe a target brand, hammering an LLM with realistic prompts to map which fake domains it tends to invent. They then register the most valuable of those domains, a cheap and near instant step for generic top level domains. From there the LLM itself delivers the lure: any developer or autonomous AI agent that asks a question triggering the hallucinated URL gets an authoritative sounding recommendation to visit attacker infrastructure. Finally, the freshly minted domain bypasses defenses because it has no reputation history, no blocklist entry, and no threat intelligence signal to trip on. As the researchers put it, the fake domain is born clean because it comes from the model own vocabulary.
This is the same blind spot that made poisoned AI models and hijacked package namespaces so effective, and it extends the earlier idea of slopsquatting, where LLMs hallucinate nonexistent software package names, from code registries to the open web. It also rhymes with recent cases of malicious skills tricking AI agents into installing malware and the AI coding tools that fell at Pwn2Own Berlin.
What you should do
There is no patch for a hallucination. Unit 42 guidance is procedural: treat any URL, endpoint, or domain suggested by an LLM as untrusted input, and verify it against official documentation before wiring it into code, pipelines, or agent workflows. Security teams should monitor for newly registered domains that closely mirror their brand, extend URL filtering and DNS security to catch zero reputation destinations, and constrain autonomous agents so they cannot fetch arbitrary model generated URLs without a human or policy check.
Indicator
Unit 42 published one representative attacker endpoint from its analysis: hxxps://api[.]build-notifier[.]io/v1/pipeline/events (defanged). Read the original report for the full methodology.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.