LuccusApr 30, 2025

Ich bin geschockt und schockiert. Was ein Schocker! Wer hätte das denn ahnen können?

https://arxiv.org/pdf/2406.10279

TLDR: Künstliche Intelligenz halluziniert konsequent Pakete, welche sich, sofern ein Programmierer sich auf die KI verlässt, per Dependency Confusion exploiten lassen.

#KI #AI #moreAthanI #Sicherheitslücke #IT #DependencyConfusion #RepositoryHijacking #ProgrammerHumor

Ars Technica NewsApr 29, 2025
AI-generated code could be a disaster for the software supply chain. Here’s why. https://arstechni.ca/fUp9Y #packageconfusion.packagehallucination #dependencyconfusion #supplychainattac #Security #Biz&IT #AI
AI-generated code could be a disaster for the software supply chain. Here’s why.

LLM-produced code could make us much more vulnerable to supply-chain attacks.

Ars Technica
Gonçalo ValérioSep 29, 2024

"CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package"

https://www.tenable.com/blog/cloudimposer-executing-code-on-millions-of-google-servers-with-a-single-malicious-package

#security #infosec #cybersecurity #dependencyconfusion #supplychain

CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package

Tenable Research discovered a remote code execution (RCE) vulnerability in Google Cloud Platform (GCP) that is now fixed and that we dubbed CloudImposer. The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool. Tenable Research also found risky guidance in GCP documentation that customers should be aware of.

Tenable®
Jeroen Ruigrok van der WervenFeb 29, 2024

Over 100,000 Infected Repos Found on GitHub

https://apiiro.com/blog/malicious-code-campaign-github-repo-confusion-attack/

#GitHub #DependencyConfusion

Over 100,000 Infected Repos Found on GitHub

The Apiiro research team has detected a repo confusion campaign that has evolved and expanded, impacting over 100k GitHub repos with malicious code.

Apiiro | Secure your development and delivery to the cloud
dubbelMay 13, 2023

Using dependabot to convert internal dependencies into public, attacker-controlled ones, using dependency-confusion. Wow, nice find!

https://giraffesecurity.dev/posts/dependabot-confusion/

#DependencyConfusion #dependabot #vulnerability

Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot

Show threadclacke: exhausted pixie dream boy 🇸🇪🇭🇰💙💛Jul 6, 2021
> Birsan began hunting for names of private internal packages that he could find in manifest files on GitHub repositories or in CDNs of prominent companies but did not exist in a public open-source repository.
[ . . . ]
> In some cases, as with PyPI packages, the researcher noticed that the package with the higher version would be prioritized regardless of wherever it was located.
> Using this technique, Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as the company's internal ones.Wow.

#SupplyChainAttack #DependencyConfusion
LIBRANET.de | Search

Antonio Hdez. Blas🔵Feb 12, 2021

"In this post, I demonstrate that critical parts of the #Haskell package management system are vulnerable to the #DependencyConfusion supply chain attack." #security #cabal #hackage

https://frasertweedale.github.io/blog-fp/posts/2021-02-12-haskell-dependency-confusion.html

pureblog - Haskell is vulnerable to dependency confusion

heise online (inoffiziell)Feb 10, 2021
Ein Sicherheitsforscher demonstriert, wie er mit vergleichsweise wenig Aufwand seinen Fuß in Systeme von beispielsweise Apple, Netflix und Tesla setzen konnte.
Sicherheitsforscher bricht über Open-Source-Repositories bei PayPal & Co. ein
Sicherheitsforscher bricht über Open-Source-Repositories bei PayPal & Co. ein

Ein Sicherheitsforscher demonstriert, wie er mit vergleichsweise wenig Aufwand seinen Fuß in Systeme von beispielsweise Apple, Netflix und Tesla setzen konnte.