this post was submitted on 28 Mar 2024
404 points (97.2% liked)

Technology

68599 readers
3811 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
404
AI bots hallucinate software packages and devs download them (www.theregister.com)
submitted 1 year ago by db0@lemmy.dbzer0.com to c/technology@lemmy.world
110 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] db0@lemmy.dbzer0.com 26 points 1 year ago (4 children)

You'd be surprised how well someone who wants to can camouflage their package to look legit.

[–] RustyNova@lemmy.world 7 points 1 year ago (1 children)

True. You can't always be 100% sure. But a quick check for download counts/version count can help. And while searching for it in the repo, you can see other similarly named packages and prevent getting hit by a typo squatter.

Despite, it's not just for security. What if the package you're installing has a big banner in the readme that says "Deprecated and full of security issues"? It's not a bad package per say, but still something you need to know

[–] YoorWeb@lemmy.world 6 points 1 year ago (1 children)
[–] RustyNova@lemmy.world 2 points 1 year ago* (last edited 1 year ago) (1 children)

Oh, TIL

Edit: *YourWeb

[–] laughterlaughter@lemmy.world 1 points 1 year ago

Oh, TIL.

Edit: *YourWeb.

[–] KairuByte@lemmy.dbzer0.com 2 points 1 year ago (1 children)

Yeah, I’m confused on what the intent of the comment was. Apart from a code review, I don’t understand how someone would be able to tell that a package is fake. Unless they are grabbing it from a. Place with reviews/comments to warn them off.

[–] KillingTimeItself@lemmy.dbzer0.com 1 points 1 year ago (1 children)

the first most obvious sign is multiple indentical packages, appearing to be the same thing, with weird stats and figures.

And possibly weird sizes. Usually people don't try hard on package managing software, unless it's an OS for some reason.

[–] KairuByte@lemmy.dbzer0.com 1 points 1 year ago (1 children)

Unless you’re cross checking every package, you’re not going to know that there are multiple packages. And a real package doesn’t necessarily give detailed information on what it does, meaning you can easily mistake real packages as fake when using this as a test.

The real answer is to not trust AI outputs, but there is no perfect answer to this since those fake packages can easily be put up and sound like real ones with a cursory check.

[–] KillingTimeItself@lemmy.dbzer0.com 1 points 1 year ago

depends on how you integrate it i suppose. A system that abstracts that is pretty awful.

At the very least, you should be weary of there being more than one package, without explicit reason for such.

[–] KillingTimeItself@lemmy.dbzer0.com 1 points 1 year ago* (last edited 1 year ago)

we just experienced this with LZMA on debian according to recent reports. 2 years of either manufactured dev history, or one very, very weird episode.

[–] UmeU@lemmy.world 1 points 1 year ago

That’s what my ex wife used to say