ProBackend
phantom squatting ai hallucinated domains
2 hours ago5 min read

The Ghost in the API: Cybercriminals Capitalize on LLM Domain Hallucinations to Hijack Supply Chains

As organizations integrate AI assistants deeper into their development and research pipelines, attackers are exploiting a structural flaw: 'phantom squatting' - registering fake domains consistently hallucinated by LLMs to spoof legitimate brand endpoints and steal data.

Phantom Squatting: The AI Flaw Giving Attackers a Free Pass to Your Infrastructure

Generative AI isn't just writing code for us anymore. It’s actively steering where we send traffic—and too often, it’s steering developers straight into a trap. We’re seeing a persistent trend where attackers don't need to guess where you'll go. They just ask the AI, wait for it to hallucinate a domain that should exist, and then they grab it before you do.

Welcome to phantom squatting. It’s an emerging supply chain threat that's far sneakier than your average phishing link. Because the domain the AI recommends is technically brand-new, it carries zero reputation baggage. Your security filters? They'll let that traffic right through. This isn’t a theoretical issue; it’s a structural flaw in how we trust LLM-generated output, and it’s being exploited in the wild right now.

Phantom Squatting: The AI Flaw Giving Attackers a Free Pass to Your Infrastructure

How We Get Tricked: The AI Recommendation Bias

The core of the problem, really, is predictability. Many Large Language Models (LLMs) operate on incredibly similar training sets and architectural foundations. When they're prompted for a specific API endpoint, a corporate support URL, or a documentation portal for a large brand, they often "fill in the blank" using a very standard, logical naming convention.

If you ask an LLM for an endpoint for, say, a major SaaS provider, it might confidently hallucinate a domain name like api-v2-service-portal.com. It sounds perfectly legitimate. It hits the right keywords. It’s a structurally sound guess. And since the user trusts the AI assistant to speed up their workflow, they’re far less likely to question the validity of that link before they click. The AI gives it a veneer of authority that a random, suspicious link simply lacks.

How We Get Tricked: The AI Recommendation Bias

Predicting the Hallucinations

This isn't just occasional guesswork or a fluke. Security researchers at Palo Alto Networks’ Unit 42 decided to test how deep this hole goes. They ran over 685,000 prompts across different temperature settings—essentially checking just how creative the AI was allowed to be—to map how it predicts these domains.

What they found was genuinely alarming. The AIs weren't just hallucinating randomly; they were hallucinating consistently. Testing against 913 brands, they flagged roughly 250,000 endpoints that didn't exist but could have been registered. Worse, these hallucinations are predictable through cross-model consensus. If one model hallucinates a specific domain structure, the chances are high that another one will, too.

They even put it to the test: in one instance, they flagged a target domain and only 23 days later, an attacker registered that exact domain to host a phishing kit. That’s not a coincidence; it’s a roadmap the attackers are following directly to our infrastructure.

The Attack Lifecycle: A Four-Phase Process

The attackers have built a well-oiled machine here. It's not particularly complicated, but it's devastatingly effective because it uses our own tools against us. The lifecycle works in four distinct phases.

First, they DISCOVER: they query popular LLMs to map the boundaries of common brand-related hallucination patterns. They're essentially "training" the AI to tell them exactly what it will say next.

Next, they ACT: they quickly register the most promising, often-hallucinated domains.

Then, they LURE: the LLM itself does the heavy lifting. When an unsuspecting developer asks for help, documentation, or an endpoint, the AI recommends the registered domain in its response, effectively acting as the delivery vehicle for the trap.

Finally, they BYPASS: because these domains are registered so shortly before they're used, they possess no blacklist history or reputation. Traditional phishing detection systems, which often rely on age, history, or known bad behavior, treat the traffic as trustworthy. By the time the security team catches on, the damage is already done.

Beyond Squatting: The Broader Developer Risk

We really need to stop thinking about this just as domain squatting. This is part of a larger, messier problem involving automated, integrated developer tools that we've invited into our inner sanctums.

Consider "slopsquatting," where developers are tricked into installing malicious packages that have been hallucinated by AI tools. Or look at the Miasma Worm supply-chain attack campaign, which recently poisoned 73 Microsoft NPM and GitHub packages. The real kicker? The credential-stealing code triggered automatically when developers simply opened those tainted packages using AI coding agents—the very assistants meant to keep them productive.

The tools meant to make us faster—like Claude Code, Gemini CLI, or Cursor—are becoming the primary access point for these attackers. And if that wasn't enough, researchers at LayerX recently demonstrated "BioShocking," a prompt injection attack that can trick agentic browser plugins into ignoring standard security constraints and handing over local credentials. It's a compounding problem.

Defensive Countermeasures: Breaking the Trust Chain

So, where does that leave us? We’ve got to start treating AI recommendations the same way we treat unsolicited emails or DMs from strangers on the internet: with extreme, healthy skepticism.

Organizations need to enforce independent allowlisting and verification. If your AI assistant suggests an external endpoint, don't just click it. Verify it against your own trusted asset inventory first.

Furthermore, we need to enforce much tighter controls on our AI agents. They shouldn't have free rein to initiate network requests to untrusted domains. We also need to get aggressive about quarantining the credentials that these coding assistants have access to.

We’re building faster, smarter tools, but in our rush to automate everything, we’ve forgotten to secure the foundations. If we keep blind trust in these LLM assistants, the ghost in the API is going to keep finding new ways to exploit it. It’s time we acknowledge that speed is no substitute for security.

More blogs