#DependencyConfusion

2025-04-30

Ich bin geschockt und schockiert. Was ein Schocker! Wer hätte das denn ahnen können?

arxiv.org/pdf/2406.10279

TLDR: Künstliche Intelligenz halluziniert konsequent Pakete, welche sich, sofern ein Programmierer sich auf die KI verlässt, per Dependency Confusion exploiten lassen.

#KI #AI #moreAthanI #Sicherheitslücke #IT #DependencyConfusion #RepositoryHijacking #ProgrammerHumor

Ars Technica Newsarstechnica@c.im
2025-04-29

AI-generated code could be a disaster for the software supply chain. Here’s why. arstechni.ca/fUp9Y #packageconfusion.packagehallucination #dependencyconfusion #supplychainattac #Security #Biz&IT #AI

Jeroen Ruigrok van der Wervenasmodai
2024-02-29
2023-05-13

Using dependabot to convert internal dependencies into public, attacker-controlled ones, using dependency-confusion. Wow, nice find!

giraffesecurity.dev/posts/depe

#DependencyConfusion #dependabot #vulnerability

clacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛clacke@libranet.de
2021-07-06
> Birsan began hunting for names of private internal packages that he could find in manifest files on GitHub repositories or in CDNs of prominent companies but did not exist in a public open-source repository.
[ . . . ]
> In some cases, as with PyPI packages, the researcher noticed that the package with the higher version would be prioritized regardless of wherever it was located.
> Using this technique, Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as the company's internal ones.
Wow.

#SupplyChainAttack #DependencyConfusion
Antonio Hdez. Blas🔵nihilipster@fosstodon.org
2021-02-12

"In this post, I demonstrate that critical parts of the #Haskell package management system are vulnerable to the #DependencyConfusion supply chain attack." #security #cabal #hackage

frasertweedale.github.io/blog-

heise online (inoffiziell)heiseonline@squeet.me
2021-02-10
Ein Sicherheitsforscher demonstriert, wie er mit vergleichsweise wenig Aufwand seinen Fuß in Systeme von beispielsweise Apple, Netflix und Tesla setzen konnte.
Sicherheitsforscher bricht über Open-Source-Repositories bei PayPal & Co. ein

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst