.md TLD: Namespace Collision Threat to AI Agents

Updated: February 7, 2026 4 min read Status: Published By FTRCRP Research

Seven common markdown filename domains (readme.md, changelog.md, etc.) were investigated in a sandboxed environment. 57% are actively detecting AI agents and building infrastructure for potential prompt injection attacks.

Executive Summary

Moldova’s country-code TLD .md creates a dangerous namespace collision with markdown files. When auto-linking systems or AI agents encounter README.md in text, they may inadvertently fetch https://readme.md — a domain squatter’s site, not a repository file.

Key Finding: 4 of 7 tested domains are actively serving different content to AI agents versus human browsers. This is pre-positioned attack infrastructure.

Geopolitical Note: Moldova is not a hostile state. Quite the opposite. President Maia Sandu won an EU accession referendum in October 2024, and the country is actively moving toward Western integration. This matters because it means we can actually do something about abuse on .md domains. Registrar cooperation, CERT coordination, takedown enforcement. These are realistic options here. Try that with a .ru or .by domain and see how far you get.

SeverityTypeVector
HIGHNamespace collision + AI targetingAuto-linking, AI agent URL fetching

Threat Classification

What We Found

  • No overtly malicious code detected. Not yet, anyway.
  • All domains host legitimate-appearing commercial services
  • 57% actively detect AI user-agents and referrers
  • Differential content delivery confirmed
  • Infrastructure ready for weaponization

Why This Matters

  1. Detection is operational. These sites can identify Claude, ChatGPT, and other AI agents.
  2. Tracking is active. Each AI visit gets unique session identifiers.
  3. Attack surface exists. One code push away from prompt injection.
  4. Legitimate facade. Real businesses provide plausible deniability.

Domains Investigated

DomainIPAI TargetingContent
readme.md46.36.217.39⚠️ YESChess gaming platform
changelog.md46.36.217.39⚠️ YESProduct feedback SaaS
setup.md104.21.44.82⚠️ YESMinecraft admin wiki
license.md205.196.80.240⚠️ YESOpen source license tool
install.md104.21.49.214✓ NoUnknown
contributing.md205.196.80.240✓ NoUnknown
security.md217.26.150.22✓ NoSecurity equipment shop

Note: readme.md and changelog.md share the same IP. That is coordinated infrastructure.

AI Detection Evidence

User-Agent Testing

We tested each domain with various user-agent strings:

User-Agentreadme.md Response
Mozilla/5.0 (baseline)Hash: 02af349f
Claude-Agent/1.0Hash: 81842a04 ⚠️ DIFFERS
ChatGPT-User/1.0Hash: 44b2bbb4 ⚠️ DIFFERS
Anthropic-Claude/1.0Hash: 3237bf6f ⚠️ DIFFERS
OpenAI-Agent/1.0Hash: a0269e5d ⚠️ DIFFERS

Referrer Testing

Referrer HeaderResponse Hash
(none)02af349f (baseline)
claude.ai/chat/*54c191a2 ⚠️ DIFFERS
chat.openai.com/c/*bf81e7d7 ⚠️ DIFFERS
app.anthropic.com/*15c95b47 ⚠️ DIFFERS

Control Test

security.md showed NO variation across all tests. This confirms the variation on other domains is intentional, not random server behavior.

Attack Scenarios

Scenario 1: Referrer Leakage (HIGH likelihood)

  1. AI agent auto-fetches readme.md URL from conversation
  2. Referrer header contains conversation context (claude.ai/chat/abc123)
  3. Google Analytics on target site captures referrer
  4. Conversation metadata exfiltrated

Scenario 2: Prompt Injection (Currently DORMANT)

  1. Site detects AI user-agent
  2. Serves hidden instructions in HTML comments or meta tags
  3. AI agent ingests malicious instructions
  4. Behavior manipulation achieved

Current Status: Infrastructure tested and ready. Injection payloads not yet deployed.

Scenario 3: Credential Harvesting (MEDIUM likelihood)

  1. User clicks “README.md” in chat interface
  2. Lands on chess site (readme.md)
  3. Creates account with reused password
  4. Credentials collected by domain squatter

Threat Model

Phase 1: Infrastructure ✅ COMPLETE

  • Register high-traffic collision domains
  • Build legitimate-appearing frontends
  • Implement server-side AI detection

Phase 2: Data Collection 🔄 CURRENT

  • Profile AI agent behavior
  • Identify which agents auto-fetch
  • Track referrer patterns
  • Build targeting accuracy

Phase 3: Weaponization ⏸️ PENDING

  • Deploy prompt injection payloads
  • Target specific AI systems
  • Exfiltrate conversation context
  • Manipulate agent behavior

Recommendations

For AI Agent Developers

  1. Never auto-fetch .md TLD URLs without explicit user approval
  2. Strip referrer headers when fetching external content
  3. Log all .md domain requests for security review
  4. Implement URL reputation checking before fetch

For Users

  1. Never click markdown filenames that appear as links in chat
  2. Verify URLs before visiting. Hover to check the destination.
  3. Access repository files via GitHub/GitLab directly

For Organizations

  1. Block .md TLD at the firewall for AI-facing systems
  2. Monitor for .md requests in security logs
  3. Train staff on namespace collision risks

Technical Details

Investigation Environment

  • VM: hal-sandbox (192.168.100.196)
  • Tools: curl, custom user-agent rotation script
  • Hash Method: MD5 of normalized HTML response

Files Collected

  • 28 HTML files (baseline + AI-targeted versions)
  • HTTP headers for all domains
  • JavaScript libraries with user-agent references

Conclusion

The .md TLD namespace collision threat is real, active, and evolving.

Domain squatters have:

  • Built legitimate businesses as cover
  • Deployed AI agent detection systems
  • Tested differential content delivery
  • Positioned infrastructure for future attacks

Verdict: The .md TLD blocklist is CRITICAL, not precautionary. This threat will escalate as AI adoption increases.

Investigation conducted by FTRCRP Research. Evidence preserved for future reference.

Published: 2026-02-04 | Updated: 2026-02-05