The integration of Large Language Models (LLMs) into the software development lifecycle has accelerated productivity, but it has birthed a novel and insidious attack vector: Phantom Squatting. As detailed in a recent analysis by Unit 42, adversaries are now actively monitoring or influencing AI-generated code suggestions to identify "hallucinated" domains—non-existent software packages or libraries suggested by AI models that developers subsequently attempt to install.
This represents a critical shift in supply chain risk. Unlike traditional typosquatting, which relies on human error, phantom squatting exploits the trust developers place in AI assistants. When an LLM invents a library name (e.g., pandas-analytics or a non-existent internal module), attackers race to register that package name in public repositories (PyPI, npm, RubyGems) with malicious code before the developer does. If the CI/CD pipeline or developer workstation executes the install, the supply chain is immediately compromised. Defenders must act now to treat AI suggestions as untrusted input.
Technical Analysis
The Attack Chain
- Hallucination: A developer queries an LLM (e.g., ChatGPT, Copilot) for a code snippet to perform a specific function.
- Suggestion: The LLM generates code that imports or requires a library that does not exist (e.g.,
import request_security). - Squatting: Threat actors, using automated tools, identify these hallucinated names or pre-emptively register variations of common packages.
- Registration: The attacker publishes a malicious package to a public registry with the hallucinated name.
- Execution: The developer runs
pip install,npm install, or equivalent. The build system or local environment downloads and executes the malicious payload, leading to credential theft, reverse shell establishment, or data exfiltration.
Affected Platforms & Ecosystems While theoretically language-agnostic, the primary vectors identified target high-frequency languages often assisted by AI:
- Python (PyPI): High risk due to massive package volume and common use in data science/AI workflows.
- JavaScript (npm): Critical risk for web applications and CI/CD pipelines.
- Go, Ruby, and .NET: Vulnerable when using package managers that support external source imports.
Exploitation Status This is an active and emerging threat. Proof-of-concept (PoC) campaigns have been demonstrated where researchers registered packages suggested by popular AI models and observed installation attempts within hours. The barrier to entry is low, making it a high-risk vector for automated supply chain compromise.
Detection & Response
Detecting phantom squatting requires a shift from detecting "known bad" to detecting "deviant behavior" in package management. Since the packages themselves are new and previously unknown, signature-based detection is insufficient. We must hunt for the behavioral indicators of installing unverified or custom-sourced packages.
Sigma Rules
---
title: Potential Phantom Squatting - Python Pip Custom Index
id: 8f5a2d1c-9b4e-4f3d-8a1e-2c7b6d9e0f3a
status: experimental
description: Detects pip install commands utilizing custom or non-standard index URLs (index-url or extra-index-url). Attackers often host malicious packages on custom domains or try to intercept traffic to unofficial repositories during phantom squatting attacks.
references:
- https://unit42.paloaltonetworks.com/phantom-squatting-hallucinated-web-domains/
author: Security Arsenal
date: 2026/04/21
tags:
- attack.initial_access
- attack.t1195.002
- attack.supply_chain
logsource:
category: process_creation
product: linux
# Applicable to Windows as well if Python is installed
detection:
selection:
Image|endswith:
- '/pip'
- '/pip3'
- '/python'
- '/python3'
CommandLine|contains:
- 'install '
CommandLine|contains:
- '--index-url'
- '--extra-index-url'
filter_legit_public:
CommandLine|contains:
- 'pypi.org'
- 'files.pythonhosted.org'
condition: selection and not filter_legit_public
falsepositives:
- Legitimate usage of internal corporate PyPI mirrors.
- Developers installing from verified third-party artifact repositories.
level: medium
---
title: Suspicious NPM Package Installation from Non-Registry Source
id: 3d7e1a4f-2c5b-6a8d-9e0f-1b2c3d4e5f6a
status: experimental
description: Detects npm or yarn package installations fetching directly from Git repositories, tarball URLs, or non-registry.npmjs.org sources. This is a common TTP in dependency confusion and phantom squatting where attackers host malicious code on external domains.
references:
- https://unit42.paloaltonetworks.com/phantom-squatting-hallucinated-web-domains/
author: Security Arsenal
date: 2026/04/21
tags:
- attack.initial_access
- attack.t1195.002
- attack.supply_chain
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/npm'
- '/yarn'
- '/pnpm'
CommandLine|contains: 'install'
selection_source:
CommandLine|re: '.*https?://(?!registry\.npmjs\.org).*'
condition: selection and selection_source
falsepositives:
- Installations of private packages from corporate GitLab/GitHub instances.
- Development testing of local tarballs.
level: high
KQL (Microsoft Sentinel / Defender)
This query hunts for process executions of common package managers that result in immediate outbound network connections to newly registered or low-reputation domains (simulated here by looking for connections to non-standard ports or endpoints outside of the primary official registry ranges).
// Hunt for Phantom Squatting indicators in process and network logs
let PackageManagers = dynamic(['pip', 'pip3', 'npm', 'yarn', 'pnpm', 'gem', 'go', 'mvn']);
let InstallCmds = dynamic(['install', 'add', 'get']);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessVersionInfoOriginalFileName in (PackageManagers) or ProcessName in (PackageManagers)
| where CommandLine has_any (InstallCmds)
| extend ProcessGuid = tostring(ProcessGuid)
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(24h)
// Focus on non-HTTPS or connections to unlikely web ports associated with package managers
| where RemotePort != 443
| project InitiatingProcessGuid, RemoteUrl, RemoteIP, RemotePort
) on $left.ProcessGuid == $right.InitiatingProcessGuid
| where RemoteUrl !contains "pypi.org"
and RemoteUrl !contains "npmjs.org"
and RemoteUrl !contains "rubygems.org"
| project Timestamp, DeviceName, AccountName, ProcessName, CommandLine, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for package manager process executions on Linux or macOS endpoints that might indicate a phantom squatting attempt, specifically looking for commands that include raw URLs (a common method to install hallucinated/squatted packages).
-- Hunt for package managers installing from direct URLs (Phantom Squatting Indicator)
SELECT Pid, Name, CommandLine, Username, Exe
FROM pslist()
WHERE Name IN ('pip', 'pip3', 'npm', 'yarn', 'pnpm', 'mvn')
AND (
CommandLine =~ 'http[s]?://[^\s"]+'
OR CommandLine =~ '--index-url'
OR CommandLine =~ '--registry'
)
AND NOT CommandLine =~ 'pypi.org'
AND NOT CommandLine =~ 'npmjs.org'
Remediation Script
This Bash script audits common developer environments for insecure package manager configurations that allow phantom squatting or dependency confusion to succeed (e.g., allowing insecure HTTP repositories or unscoped global installs).
#!/bin/bash
# Audit Script: Phantom Squatting Hardening for Python and Node.js
# Usage: sudo ./audit_phantom_squatting.sh
echo "[+] Auditing environment for Phantom Squatting risks..."
# Check Python (pip) configuration for insecure indexes
echo "[*] Checking Python pip configuration..."
PIP_CONF="/etc/pip.conf"
HOME_PIP_CONF="$HOME/.pip/pip.conf"
for conf_file in "$PIP_CONF" "$HOME_PIP_CONF"; do
if [ -f "$conf_file" ]; then
if grep -qE "^index-url.*http://" "$conf_file"; then
echo "[!] WARNING: Insecure HTTP index-url found in $conf_file"
else
echo "[+] No insecure HTTP index-url in $conf_file"
fi
if grep -qE "^extra-index-url" "$conf_file"; then
echo "[!] WARNING: Extra index URLs found in $conf_file. Verify these are trusted corporate repositories."
grep "^extra-index-url" "$conf_file"
fi
fi
done
# Check NPM configuration
echo "[*] Checking NPM configuration..."
NPM_REGISTRY=$(npm config get registry)
if [ "$NPM_REGISTRY" != "https://registry.npmjs.org/" ] && [ "$NPM_REGISTRY" != "undefined" ]; then
echo "[!] WARNING: NPM registry is set to a non-standard source: $NPM_REGISTRY"
else
echo "[+] NPM registry set to default."
fi
# Check for allowlist enforcement (Note: This is informational; hardening requires policy config)
echo "[*] Checking for strict SSL enforcement in NPM..."
NPM_STRICT_SSL=$(npm config get strict-ssl)
if [ "$NPM_STRICT_SSL" != "true" ]; then
echo "[!] WARNING: NPM strict-ssl is disabled."
else
echo "[+] NPM strict-ssl is enabled."
fi
echo "[+] Audit complete."
Remediation
To effectively defend against Phantom Squatting, organizations must move from reactive detection to proactive supply chain governance:
-
Strict Repository Allowlisting: Configure all package managers (pip, npm, maven, gradle) to only install packages from explicitly allowed internal or public repositories. Block access to public repositories like PyPI or npmjs.org at the proxy level for build servers, requiring an internal artifact repository (e.g., Artifactory, Nexus) to act as a proxy.
-
Verify AI Suggestions: Treat all code and package suggestions generated by LLMs as untrusted. Implement a policy where developers must manually verify the existence and reputation of a package on the official registry (checking upload date, publisher verification, and download count) before installation.
-
Software Bill of Materials (SBOM): Mandate the generation of SBOMs for all internal applications. Utilize Software Composition Analysis (SCA) tools during the CI/CD process to detect newly created packages or packages lacking digital signatures.
-
Network Segmentation: Isolate build environments from the open internet. Developers should not have the ability to run arbitrary package installers on production build servers.
-
Vendor Advisory: Refer to the Unit 42 Analysis for continued updates on this evolving threat landscape.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.