Supply Chain Typosquatting Campaign Embeds AI‑Generated Lookalike Domains in Third‑Party Scripts
What Happened — Researchers observed attackers using AI‑generated typosquatted domains that are injected into legitimate third‑party JavaScript libraries and other web‑delivery scripts. The malicious look‑alike URLs are served from the same CDN endpoints as the genuine scripts, making them invisible to most traditional URL‑reputation tools.
Why It Matters for TPRM —
- Third‑party script providers become inadvertent carriers of malicious domains, expanding the attack surface of every downstream customer.
- Traditional user‑focused anti‑phishing controls miss these supply‑chain vectors, exposing organizations to credential harvesting and malware download.
- The technique scales quickly across industries that rely on shared UI components, analytics, or advertising scripts.
Who Is Affected — Web‑based businesses across all sectors (e‑commerce, SaaS, media, finance, healthcare) that embed third‑party JavaScript, analytics, or advertising scripts.
Recommended Actions —
- Conduct an inventory of all third‑party scripts and libraries loaded on public‑facing sites.
- Enforce Subresource Integrity (SRI) or signed script delivery where possible.
- Deploy DNS‑level monitoring for look‑alike domains and integrate threat‑intel feeds that include AI‑generated typosquatting indicators.
- Require vendors to provide attestations of script integrity and to scan their build pipelines for malicious domain injection.
Technical Notes — Attack vector: THIRD_PARTY_DEPENDENCY via compromised or maliciously altered third‑party JavaScript. No specific CVE; the threat leverages AI‑generated domain generation algorithms to produce convincing typosquatted URLs. Data at risk includes user credentials, session tokens, and any data exfiltrated through drive‑by downloads. Source: The Hacker News