{"id":240063,"date":"2026-07-01T07:10:25","date_gmt":"2026-07-01T12:10:25","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/07\/phantom-squatting-uses-ai-hallucinated-domains-for-phishing-and-malware"},"modified":"2026-07-01T07:10:25","modified_gmt":"2026-07-01T12:10:25","slug":"phantom-squatting-uses-ai-hallucinated-domains-for-phishing-and-malware","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/07\/phantom-squatting-uses-ai-hallucinated-domains-for-phishing-and-malware","title":{"rendered":"Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/phantom-squatting-uses-ai-hallucinated-domains-for-phishing-and-malware.jpg\"><\/a><\/p>\n<p>Phantom squatting is the domain version of <b>slopsquatting<\/b>, where attackers register the fake software package names that AI coding tools invent. That is not a hypothetical.<\/p>\n<p>A large <a href=\"https:\/\/www.usenix.org\/conference\/usenixsecurity25\/presentation\/spracklen\">USENIX study<\/a> found code-generating models routinely suggest package names that do not exist, and the <a href=\"https:\/\/thehackernews.com\/2025\/10\/phantomraven-malware-found-in-126-npm.html\">PhantomRaven campaign<\/a> turned exactly that behavior into malware hidden in 126 npm packages with more than 86,000 installs.<\/p>\n<p>It points to a larger shift: model output is becoming input. Developers, agents, and security teams act on AI-generated links and names before anyone verifies them, and <a href=\"https:\/\/thehackernews.com\/2026\/02\/from-exposure-to-exploitation-how-ai.html\">AI keeps shrinking the time defenders have to react<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Phantom squatting is the domain version of slopsquatting, where attackers register the fake software package names that AI coding tools invent. That is not a hypothetical. A large USENIX study found code-generating models routinely suggest package names that do not exist, and the PhantomRaven campaign turned exactly that behavior into malware hidden in 126 npm [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,6],"tags":[],"class_list":["post-240063","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-robotics-ai"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/240063","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=240063"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/240063\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=240063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=240063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=240063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}