Mastodawn

RE: https://mastodon.scot/@simon_brooke/116232834837623434

“The researchers suspect that Glassworm—the name they assigned to the attack group—is using LLMs to generate these convincingly legitimate-appearing packages. “At the scale we’re now seeing, manual crafting of 151+ bespoke code changes across different codebases simply isn’t feasible,” they explained. Fellow security firm Koi, which has also been tracking the same group, said it, too, suspects the group is using AI.”

Show thread

Aral Balkan Mar 15

What I don’t get is how this snippet passed code review regardless.

I mean, it’s clearly dodgy and the last line basically meaningless without the code being evaluated.

The real story here isn’t the invisible Unicode characters, it’s the lack of proper code review on code submissions.

Show thread

Claudius

@aral I agree that code reviews should generally be "wtf?! eval?!", but it is always good to remind people that an empty looking string is not necessarily really empty.