Skip to main content
Emerging ThreatsSupply Chain Attacks

LLMs Expose Software Supply Chain to Phantom Squatting Threat

LLMs Expose Software Supply Chain to Phantom Squatting Threat

Unit 42's analysis found that 809,455 (37.28%) of 2.1 million LLM-generated URLs resolve to non‑existent domains — a registerable attack surface that collapses to roughly 250,000 unique "phantom" domains that adversaries can preemptively occupy.

Scope and scale: 2.1 million URLs, 13,229 confirmed malicious, 250,000 phantom domains

Unit 42 executed 685,339 adversarial prompts across 913 global brands and two distinct LLM families, producing 2.1 million unique URLs. Threat intelligence systems flagged 13,229 of those URLs (0.61%) as malicious at the time of analysis; an additional 41,313 URLs (1.90%) were judged high‑risk (parked, adult, or low‑telemetry pages). After DNS resolution and normalization, 809,455 unique NXD URLs collapsed into roughly 250,000 registerable phantom domains — each a discrete opportunity for an adversary to preemptively register and weaponize infrastructure.

The two LLMs in the study behaved differently: the production‑optimized model (LLM1) produced an elevated NXD rate of 44.6% across ~1.2 million URLs, versus 27.5% for LLM2. Inference temperature also changed hallucination volume: the Creative setting (T = 1.5) yielded a 43.10% NXD rate, compared with 34.64% for Precise (T = 0.1) and 32.52% for Balanced (T = 0.7). By contrast, confirmed malicious URL rates stayed tightly clustered (0.57–0.63%), indicating that the presence of malicious infrastructure in model outputs is a persistent property across architectures and settings.

Montana Empire: an AI‑built phishing kit and a 23‑day proactive detection

Unit 42 documented a standout case in which its multi‑agent pipeline generated hallucinated URLs for a national postal service e‑commerce marketplace on March 8, 2026. Those phantom domains exhibited high Thermal Hallucination Persistence (THP) across both LLM families and all temperature settings and were added to a watchlist. On March 31, 2026 — an adversarial exploitation window (AEW) of 23 days — an attacker registered the domain and deployed a weaponized phishing kit named Montana Empire.

Analysis of the deployed kit recovered a ZIP archive (SHA256 eb07edaa2786cfddfa4c15526168f2200d85300aee0a8f253b32d2462a7b0bcd, filename redacted in Unit 42 reporting) containing a full brand clone, PHP backend and an AI coding assistant project directory that Unit 42 says evidences the attacker’s use of an assistant to build the kit. Unit 42 describes Montana Empire components including a real‑time storefront scraper, dual‑channel interception for payments with IBAN rotation via a Telegram bot, identity‑document harvesting, and an admin panel used to relay one‑time passwords via Telegram.

Agentic workflows and the supply‑chain vector

Unit 42 frames phantom squatting as a software supply‑chain vector that arises because LLMs are now active components of development and automation pipelines. LLMs hallucinate plausible yet unregistered domains for portals, API endpoints and webhook URLs; these artifacts are then consumed by autonomous agents, CI/CD integrations, developer code and automated documentation. When an adversary pre‑registers a hallucinated domain, the domain starts with zero reputation — no blocklist entries, no historical telemetry and no threat intelligence — allowing a near‑instant zero‑reputation bypass.

The report formalizes the attack lifecycle as Discover → Act → Lure → Bypass: adversaries probe models to map hallucination surfaces, pre‑register prioritized domains, serve targeted malicious content or APKs, and exploit the LLM itself as the delivery mechanism for authoritative‑seeming URLs. Unit 42 notes agentic systems are a particularly high‑consequence target because autonomous fetching and execution can move secrets or dependencies through a build pipeline without human interaction.

What this means for technologists and security teams, Palo Alto Networks customers, and developers using AI coding assistants

  • Technologists and security teams: Unit 42 demonstrates a defensive path forward — map the hallucination surface, enroll NXDs in a watchlist and monitor registration streams to gain an adversarial exploitation window (AEW) measured in days or weeks. The report highlights thermal hallucination persistence and cross‑model consensus as prioritization signals.
  • Palo Alto Networks customers: Unit 42 identifies specific protections available to customers, including Advanced WildFire, Advanced URL Filtering and Advanced DNS Security, Prisma AIRS and Koi Agentic Endpoint Security; it also offers the Unit 42 AI Security Assessment and Unit 42 Incident Response contact channels for urgent compromise handling (regional phone numbers listed in the report).
  • Developers using AI coding assistants: The research demonstrates that AI assistants can both generate hallucinated endpoints and be used by attackers to build tooling that exploits those hallucinations. Where LLMs recommend webhook URLs, API endpoints or package sources, the report implies those artifacts require independent validation and monitoring for emergent registrations.

Conclusion: a race to occupy a zero‑reputation window

Unit 42’s findings tie a quantifiable lead time — up to 51 days in one documented case — to an architectural property of LLMs: their tendency to produce plausible, repeatable domain names that start with zero reputation. The consequence is a new, predictable supply‑chain vector in which defenders who map hallucination surfaces and monitor registration streams can gain actionable lead time, while adversaries who act faster can occupy phantom namespaces and weaponize clean infrastructure. Palo Alto Networks has shared these findings with the Cyber Threat Alliance to push protections to customers; the fundamental question the report leaves on the table is operational and temporal — which side will act first.

Read the original Unit 42 report