AI can't stop making up software dependencies and sabotaging everything
- Reference: 1744456453
- News link: https://www.theregister.co.uk/2025/04/12/ai_code_suggestions_sabotage_supply_chain/
- Source link:
AI coding assistants, like large language models in general, have a habit of hallucinating. They suggest code that incorporates software packages that don't exist.
As we noted [1]in March and [2]September last year, security and academic researchers have found that AI code assistants invent package names. In a recent study, researchers found that about 5.2 percent of package suggestions from commercial models didn't exist, compared to 21.7 percent from open source models.
[3]
Running that code should result in an error when importing a non-existent package. But miscreants have realized that they can hijack the hallucination for their own benefit.
[4]
[5]
All that's required is to create a malicious software package under a hallucinated package name and then upload the bad package to a package registry or index like PyPI or npm for distribution. Thereafter, when an AI code assistant re-hallucinates the co-opted name, the process of installing dependencies and executing the code will run the malware.
The recurrence appears to follow a bimodal pattern - some hallucinated names show up repeatedly when prompts are re-run, while others vanish entirely - suggesting certain prompts reliably produce the same phantom packages.
[6]
As [7]noted by security firm Socket recently, the academic researchers who explored the subject last year found that re-running the same hallucination-triggering prompt ten times resulted in 43 percent of hallucinated packages being repeated every time and 39 percent never reappearing.
Exploiting hallucinated package names represents a form of [8]typosquatting , where variations or misspellings of common terms are used to dupe people. Seth Michael Larson, security developer-in-residence at the Python Software Foundation, has dubbed it "slopsquatting" – "slop" being a common pejorative for AI model output.
"We're in the very early days looking at this problem from an ecosystem level," Larson told The Register . "It's difficult, and likely impossible, to quantify how many attempted installs are happening because of LLM hallucinations without more transparency from LLM providers. Users of LLM generated code, packages, and information should be double-checking LLM outputs against reality before putting any of that information into operation, otherwise there can be real-world consequences."
[9]
Larson said that there are many reasons a developer might attempt to install a package that doesn't exist, including mistyping the package name, incorrectly installing internal packages without checking to see whether those names already exist in a public index (dependency confusion), differences in the package name and the module name, and so on.
"We’re seeing a real shift in how developers write code," Feross Aboukhadijeh, CEO of security firm Socket, told The Register . "With AI tools becoming the default assistant for many, ' [10]vibe coding ' is happening constantly. Developers prompt the AI, copy the suggestion, and move on. Or worse, the AI agent just goes ahead and installs the recommended packages itself.
The problem is, these code suggestions often include hallucinated package names that sound real but don't exist
"The problem is, these code suggestions often include hallucinated package names that sound real but don’t exist. I’ve seen this firsthand. You paste it into your terminal and the install fails – or worse, it doesn’t fail, because someone has slop-squatted that exact package name."
Aboukhadijeh said these fake packages can look very convincing.
"When we investigate, we sometimes find realistic looking READMEs, fake GitHub repos, even sketchy blogs that make the package seem authentic," he said, adding that Socket's security scans will catch these packages because they analyze the way the code works.
What a world we live in: AI hallucinated packages are validated and rubber-stamped by another AI that is too eager to be helpful
"Even worse, when you Google one of these slop-squatted package names, you’ll often get an AI-generated summary from Google itself confidently praising the package, saying it’s useful, stable, well-maintained. But it’s just parroting the package’s own README, no skepticism, no context. To a developer in a rush, it gives a false sense of legitimacy.
"What a world we live in: AI hallucinated packages are validated and rubber-stamped by another AI that is too eager to be helpful."
Aboukhadijeh pointed to [11]an incident in January in which Google's AI Overview, which responds to search queries with AI-generated text, suggested a malicious npm package @async-mutex/mutex, which was typosquatting the legitimate package async-mutex.
He also noted that recently a threat actor using the name "_Iain" published a playbook on a dark web forum detailing how to build a blockchain-based botnet using malicious npm packages.
Aboukhadijeh explained that _Iain "automated the creation of thousands of typo-squatted packages (many targeting crypto libraries) and even used ChatGPT to generate realistic-sounding variants of real package names at scale. He shared video tutorials walking others through the process, from publishing the packages to executing payloads on infected machines via a GUI. It’s a clear example of how attackers are weaponizing AI to accelerate software supply chain attacks."
[12]GitHub supply chain attack spills secrets from 23,000 projects
[13]North Koreans clone open source projects to plant backdoors, steal credentials
[14]Snyk appears to deploy 'malicious' packages targeting Cursor for unknown reason
[15]Ongoing typosquatting campaign impersonates hundreds of popular npm packages
Larson said the Python Software Foundation is working constantly to make package abuse more difficult, adding such work takes time and resources.
"Alpha-Omega has sponsored the work of Mike Fiedler, our PyPI Safety & Security Engineer, to work on reducing the risks of malware on PyPI such as by implementing an programmatic API to report malware, partnering with existing malware reporting teams, and implementing better detections for typo-squatting of top projects," he said.
"Users of PyPI and package managers in general should be checking that the package they are installing is an existing well-known package, that there are no typos in the name, and that the content of the package has been reviewed before installation. Even better, organizations can mirror a subset of PyPI within their own organizations to have much more control over which packages are available for developers." ®
Get our [16]Tech Resources
[1] https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/
[2] https://www.theregister.com/2024/09/30/ai_code_helpers_invent_packages/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z_qOCgsD13qlhmT_QvlIUgAAAAo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_qOCgsD13qlhmT_QvlIUgAAAAo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z_qOCgsD13qlhmT_QvlIUgAAAAo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_qOCgsD13qlhmT_QvlIUgAAAAo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks
[8] https://capec.mitre.org/data/definitions/630.html
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z_qOCgsD13qlhmT_QvlIUgAAAAo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://x.com/karpathy/status/1886192184808149383
[11] https://socket.dev/blog/gmail-for-exfiltration-malicious-npm-packages-target-solana-private-keys-and-drain-victim-s
[12] https://www.theregister.com/2025/03/17/supply_chain_attack_github/
[13] https://www.theregister.com/2025/01/29/lazarus_groups_supply_chain_attack/
[14] https://www.theregister.com/2025/01/14/snyk_npm_deployment_removed/
[15] https://www.theregister.com/2024/11/05/typosquatting_npm_campaign/
[16] https://whitepapers.theregister.com/
Re: well duh.
Never had to train up your replacement?
Re: well duh.
I hope you jest, but this morning I looked at an online jobs page for my area.
Every other job was, literally, from the same company, saying "we need someone who knows X to train our AI how to do X", where X is C# or Python or Web frontend or backoffice systems or...; after which you can go find something else to do with your time.[1] At least this lot was up front about it.
Hallucination
Every LLM output is an hallucination. It's how LLMs work.
Some of them are objectively nonsense, but those are just as statistically valid as the ones that we decide are "good".
'vibe coding' is happening constantly. Developers prompt the AI, copy the suggestion, and move on
Luckily for those of us who know how to code properly, the problems this causes is going to keep us competitive. What's next? 'vibe surgery' where surgeons prompt an AI, saw your leg off, and move on?
"some hallucinated names show up repeatedly when prompts are re-run, while others vanish entirely"
Pretty damning statement, your artificial idiot is now a moody fucker too (I've told you once already!).
Why should a supposedly "intelligent" machine give different answers for the same prompt anyway?
If you are still cheerleading this shite even now, here is some homework for you: https://en.wikipedia.org/wiki/Idempotence
A mess of our own making…
Why oh why oh why do people veer to nostalgia, fantasy and star trek devices, when reality offers clarity and stability.
I know people who are as prone to technology and programming hallucinations as any dodgy LLM (that is to say, all LLMs), the difference is that too many people are swayed by the allure of the KoolAid.
What a disaster in the making…
Is this news ?
It may be interesting to some, but it's only "news" if you are in a contingent that is surprised to get wet if it rains, or to discover it's hot in the Sahara.
10 All this AI bollocks is merely high speed pattern matching that has a feedback loop. However because it can only research "intelligence" from either masses of human content, or increasingly masses of it's own content, tnen the quality of it's output can only exponentially tend towards the arithmetic mean as time progresses.
20 How can you tell "good" content from "bad" content. ? You need "intelligence" to figure it out.
30 Goto 10.
Feedback?
The program deep mind taught itself to play 'Go' by playing the game and seeing what happened, it had a feedback process that told whether it had 'won' or lost'*. Surely linking an AI code generator to an actual compiler so that the AI can compile its own code and see the error messages would one way to get the things to write actual code rather than links fantasy subroutines?
* https://historyofinformation.com/detail.php?id=4365
"We’re seeing a real shift in how developers write code,"
SHIT, not shift. Plese El Reg, be more carefull in the future.
One more reason not to use python, public repos, or AI.
"One more reason not to use python, public repos, or AI"
I had done quite well in the past using Python and public repos. In real jobs in real companies.
AI, let the bubble burst.
Help Me, Doctor!
Doctor: What seems to be the problem?
Patient: A broken wrist.
Doctor: What happened?
Patient: Well, there's this new kind of sledgehammer design called 'LLM/generative AI', and it's super-cool! Everybody's buying them, renting them, and trying them. It features a special carbon-fibre handle which is so light, it weighs practically nothing. It's so easy-to-use, it nearly does all your work for you!
Doctor: And ...?
Patient: This sort of sledgehammer design has a flaw. The head has a tendency to come loose on the handle. As you're driving in a railway spike, the head might rotate on the handle, and not hit the spike very hard, so you have to keep trying and trying to get the spike to go in. Or, it'll hit the spike cockeyed, drive it in at an angle, after which you need to use a crowbar to pry the spike back out and start over. Today when I was using one, when I lifted the sledgehammer up, the sledgehammer head came loose, slid down the handle, hit my hand, and broke my wrist. People have tried all sorts of things to fix this problem: duct tape, cord, little hammered-in wedges, rubber collars, metal guide rails, and all sorts of other things, but none of them work well-enough.
Doctor: I recommend you go back to using the old-style sledgehammers.
Patient: That's too much hard work. The new ones are so easy to use and are so cool!
Doctor: I'm going to refer you to a specialist. (Doctor scribbles on a notepad, tears off the note, and hands it to the patient.) Call Doctor Mark Jones at that number and have his P.A. set up an appointment for you.
Patient: What does Doctor Jones do?
Doctor: Brain surgery. Now get out of my office!
well duh.
Boss: you there, yes you, low life code monkey. Put together an AI model that can do your job When it's reliable enough, go join the dole queue.
Software Engineer: Yes boss, I'll get right on it.