Full Report
AI-generated lookalike domains are now embedded inside the third-party scripts running on your web properties. Here's why your current stack can't see them, and what detection actually requires. Download the CISO Expert Guide to Typosquatting in the AI Era → TL;DR Typosquatting is no longer a user problem. Attackers now embed lookalike domains inside legitimate third-party scripts.
Analysis Summary
# Tool/Technique: AI-Driven Supply Chain Typosquatting
## Overview
This technique represents the "Phase 3" evolution of typosquatting. Instead of relying on users mistyping a URL, attackers use AI and Large Language Models (LLMs) to generate thousands of visually identical (homograph) lookalike domains. These domains are then embedded into legitimate, trusted third-party scripts (NPM packages, Chrome extensions, marketing pixels) through supply chain compromises. The primary purpose is to intercept sensitive data (credentials, PII, payment info) directly within the user's browser, bypassing traditional perimeter defenses like WAFs and Firewalls.
## Technical Details
- **Type**: Technique / Supply Chain Attack
- **Platform**: Web Browsers (Chrome), JavaScript Environments (Node.js/NPM), E-commerce platforms.
- **Capabilities**: Automated domain generation, visual spoofing (homograph attacks), credential harvesting, data exfiltration from browser runtime.
- **First Seen**: Significant evolution and large-scale deployment noted in late 2025/early 2026 (e.g., Shai-Hulud worm).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Web Browsers]
- [T1539 - Steal Web Session Cookie]
- **[TA0010 - Exfiltration]**
- [T1567 - Exfiltration Over Web Service]
- **[TA0005 - Defense Evasion]**
- [T1036.007 - Masquerading: Double File Extension / Lookalike Domains]
## Functionality
### Core Capabilities
- **Automated Lookalike Generation**: Using LLMs to create thousands of permutations of a target brand's domain to evade string-distance detection algorithms.
- **Homograph Implementation**: Utilizing non-Latin characters (Cyrillic, Greek) to create domains indistinguishable from legitimate ones in browser address bars.
- **Supply Chain Injection**: Compromising upstream dependencies (NPM packages, browser extensions) to inject malicious scripts into trusted environments.
### Advanced Features
- **Browser-Runtime Execution**: Capturing data (like wallet seed phrases or payment card info) before it is encrypted or sent to a legitimate server, rendering server-side logs useless.
- **Rapid Deployment**: AI-driven automation allows for domain registration, SSL issuance, and campaign deployment in under ten minutes.
## Indicators of Compromise
- **File Names**: `chalk`, `debug` (malicious versions of these legitimate NPM libraries).
- **Network Indicators**:
- Lookalike analytics endpoints (e.g., `trustwaIIet[.]com`—note the double 'I' replacing 'll').
- Unauthorized outbound connections from browser scripts to unknown/newly registered domains.
- **Behavioral Indicators**:
- Sudden increase in third-party script connections to domains with High Entropy.
- Scripts performing "hooking" actions on sensitive input fields or form submissions.
## Associated Threat Actors
- **Shai-Hulud**: A self-replicating NPM worm responsible for harvesting developer credentials to facilitate the Trust Wallet extension compromise.
## Detection Methods
- **Behavioral Detection**: Monitoring the Client-Side/Browser Runtime to identify when approved scripts attempt to communicate with unauthorized or lookalike domains.
- **Entropy Analysis**: Detecting domains that use mixed character sets (Homographs) via automated scanning.
- **Inventory Management**: Continuous monitoring of third-party script behaviors (e.g., marketing pixels, support widgets) for changes in network destination.
## Mitigation Strategies
- **Content Security Policy (CSP)**: Properly configuring and strictly enforcing CSP headers to restrict the domains to which scripts can send data.
- **Script Integrity Monitoring**: Using Subresource Integrity (SRI) hashes to ensure that fetched scripts have not been altered.
- **Supply Chain Vetting**: Implementing automated tools to scan dependencies for known malicious patterns or recent, suspicious updates.
- **Zero-Trust for Browsers**: Treating the user's browser as an untrusted environment and monitoring script execution in real-time.
## Related Tools/Techniques
- **Formjacking / Magecart**: Earlier iterations of browser-side data theft.
- **Typosquatting/Cybersquatting**: The foundational technique used for domain deception.
- **Social Engineering**: Specifically phishing targeting package maintainers to gain publishing keys.