Palo Alto Networks’ Unit 42 team has documented a new software supply chain attack vector it calls phantom squatting, in which threat actors register web domains that large language models (LLMs) consistently fabricate when queried about legitimate brands and services. The research, published June 30, 2026, demonstrates that this is not a theoretical risk: adversaries are actively exploiting it today.

How the Attack Works

LLMs have long been known to hallucinate software package names, a problem catalogued under the term slopsquatting. Phantom squatting extends that logic to web infrastructure. When developers or autonomous AI agents ask a coding assistant for documentation links, API endpoints, or service portals, the model may generate plausible but entirely fictitious domains. If an attacker has pre-registered one of those domains, any traffic the AI system or the developer’s application directs there goes straight to attacker-controlled infrastructure.

The threat is amplified by how deeply LLMs are now embedded in development workflows. CI/CD pipeline assistants recommend third-party service endpoints. AI research agents perform autonomous HTTP requests against URLs they generate themselves. Developers integrate AI-suggested URLs directly into production code. In each scenario, the LLM effectively functions as a trusted supply chain dependency, and downstream consumers rarely verify its output independently.

Scale of the Problem

To quantify the risk, Unit 42 analyzed 913 global brands and executed 685,339 URL queries across two distinct LLM models in multiple configurations. That corpus produced 2.1 million URLs. Researchers identified:

  • More than 13,229 confirmed malicious URLs already in use
  • Approximately 250,000 hallucinated domains that remain unregistered and available for adversaries to claim

Proactive monitoring of high-priority hallucinated domains yielded real-world detections across multiple industry sectors, with researchers predicting adversary registrations between 18 and 51 days before they occurred.

Montana Empire: AI-Built Phishing Kit

A particularly illustrative case involved a phishing kit the researchers named Montana Empire. An attacker used an AI coding assistant to build the kit, which targeted a domain that Unit 42’s detection pipeline had flagged as a high-risk hallucination target 23 days before the attacker registered it. The incident traces the complete attack cycle: LLM-assisted kit development targeting a domain the same class of LLMs was likely to hallucinate.

Why Traditional Defenses Fall Short

Conventional URL filtering and threat intelligence platforms rely on reputation data, meaning a domain must have a history of malicious activity before it gets blocked. Phantom domains are, by definition, newly registered and carry no prior reputation. This makes blocklist-based defenses structurally blind to the threat during the period when it is most dangerous.

Recommendations

Security teams should treat LLM-generated URLs with the same skepticism applied to any unverified third-party dependency. Specific mitigations include:

  • Validating AI-generated URLs against authoritative sources before integrating them into code or pipelines
  • Monitoring for registration activity on domains associated with internal brand assets and partner services
  • Applying DNS security controls capable of flagging newly registered domains in automated workflows
  • Auditing agentic AI systems that make autonomous HTTP requests to externally generated URLs

Unit 42 notes that roughly 250,000 high-risk hallucinated domains remain unregistered, representing an open window for both proactive defensive registration and continued adversarial exploitation.