About the .zip and .mov domains: while they are the more noticeable ones, there are others that's been around for awhile. I am lazy, so I just asked ChatGPT, and it listed 8, saying that these are "some" (and not willing to give me more):
- .AI: Adobe Illustrator file extension, also Anguilla's ccTLD.
- .FM: FMOD Sound Bank file extension, also Federated States of Micronesia's ccTLD.
- .IO: Input/Output file extension, also British Indian Ocean Territory's ccTLD.
- .ME: Multimedia file extension (MPEG audio), also Montenegro's ccTLD.
- .MP: MPEG video file extension, also Northern Mariana Islands' ccTLD.
- .MS: Microsoft Word document extension, also Montserrat's ccTLD.
- .TV: Television or video file extension, also Tuvalu's ccTLD.
- .VC: Video Clip file extension, also Saint Vincent and the Grenadines' ccTLD.
Even without them, I am sure some domains can be abused the same way. For example that new .nexus domain: if you know a person is a Skyrim fan, who uses Nexus Mods, you can send a link like "https://www.nexusmods.com/skyrim/mods/115481/@badactor.nexus" and say that this a new format Nexus uses or something like that.
I think the main problem is that this password schema is still supported by majority, if not all browsers, and that is bad, because plain text password. I think if major browsers put the support for this into an option, which is disabled by default, that will solve 2 problems at once.
