AI hallucinates software packages and devs download them – even if potentially poisoned with malware

Welcome • User Guide
ToS • Privacy • Canary
Donate • Bugs • License

©2025 Poal.co

742

•

AI hallucinates software packages and devs download them – even if potentially poisoned with malware (www.theregister.com)

Well that is yet another attack vector. Sounds a lot like the copy/paste everyone used to do from source forge.

Archive: https://archive.today/6QMPe Slashdot Link: https://it.slashdot.org/story/24/03/30/1744209/ai-hallucinated-a-dependency-so-a-cybersecurity-researcher-built-it-as-proof-of-concept-malware Slashdot Archive: https://archive.today/wt7eA

From the post: "Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI.

Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency into a real one, which was subsequently downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned. If the package was laced with actual malware, rather than being a benign test, the results could have been disastrous.

According to Bar Lanyado, security researcher at Lasso Security, one of the businesses fooled by AI into incorporating the package is Alibaba, which at the time of writing still includes a pip command to download the Python package huggingface-cli in its GraphTranslator installation instructions."

Well that is yet another attack vector. Sounds a lot like the copy/paste everyone used to do from source forge. Archive: https://archive.today/6QMPe Slashdot Link: https://it.slashdot.org/story/24/03/30/1744209/ai-hallucinated-a-dependency-so-a-cybersecurity-researcher-built-it-as-proof-of-concept-malware Slashdot Archive: https://archive.today/wt7eA From the post: "Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI. Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency into a real one, which was subsequently downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned. If the package was laced with actual malware, rather than being a benign test, the results could have been disastrous. According to Bar Lanyado, security researcher at Lasso Security, one of the businesses fooled by AI into incorporating the package is Alibaba, which at the time of writing still includes a pip command to download the Python package huggingface-cli in its GraphTranslator installation instructions."

(post is archived)

You are currently inside a comment thread.

Click here to see all the comments (1).

[–] • 2 pts

having spotted this reoccurring hallucination

Things occur and things recur; there is no such word as "reoccur".

link

(post is archived)

You can claim this sub in /s/subrequest