Ich bin geschockt und schockiert. Was ein Schocker! Wer hätte das denn ahnen können?
https://arxiv.org/pdf/2406.10279
TLDR: Künstliche Intelligenz halluziniert konsequent Pakete, welche sich, sofern ein Programmierer sich auf die KI verlässt, per Dependency Confusion exploiten lassen.
#KI #AI #moreAthanI #Sicherheitslücke #IT #DependencyConfusion #RepositoryHijacking #ProgrammerHumor
AI-generated code could be a disaster for the software supply chain. Here’s why. https://arstechni.ca/fUp9Y #packageconfusion.packagehallucination #dependencyconfusion #supplychainattac #Security #Biz&IT #AI
"CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package"
#security #infosec #cybersecurity #dependencyconfusion #supplychain
Over 100,000 Infected Repos Found on GitHub
https://apiiro.com/blog/malicious-code-campaign-github-repo-confusion-attack/
Using dependabot to convert internal dependencies into public, attacker-controlled ones, using dependency-confusion. Wow, nice find!
> Birsan began hunting for names of private internal packages that he could find in manifest files on GitHub repositories or in CDNs of prominent companies but did not exist in a public open-source repository.Wow.
[ . . . ]
> In some cases, as with PyPI packages, the researcher noticed that the package with the higher version would be prioritized regardless of wherever it was located.
> Using this technique, Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as the company's internal ones.
"In this post, I demonstrate that critical parts of the #Haskell package management system are vulnerable to the #DependencyConfusion supply chain attack." #security #cabal #hackage
https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html
