domingo, 12 de julio de 2026

Slopsquatting AIs New Software Supply Chain Threat

A dangerous new cybersecurity threat called slopsquatting has emerged, exploiting artificial intelligence coding assistants to compromise software development. Unlike traditional typosquatting, which relies on misspelt domain names, slopsquatting weaponises AI hallucinations to inject malicious code into developers' projects from the very beginning.

Slopsquatting: AI's New Software Supply Chain Threat

Slopsquatting works by exploiting large language models' tendency to invent fictitious software package names during code generation. When AI coding assistants hallucinate non-existent packages, cybercriminals can register those exact names and populate them with malware. Developers who trust their AI tools unknowingly incorporate these malicious packages directly into their codebases, creating a severe supply chain vulnerability.

Research has revealed alarming statistics about this threat. Analysis of over 576,000 code samples found that nearly 20% of AI-generated packages were hallucinations. Open-source AI models proved particularly vulnerable, with hallucination rates reaching 13.63% compared to just 3.59% for proprietary models like GPT-4.0 Turbo. This means organisations using open-source AI coding tools face approximately four times greater exposure to slopsquatting attacks.

The problem is exacerbated by the rise of 'vibe coding', with developers estimating that over 40% of their committed code now includes AI assistance, and 72% of AI users relying on these tools daily. Vulnerabilities in open-source software packages are increasing at 98% annually, whilst their average lifespan has grown by 85%, indicating declining security standards. These malicious packages can remain undetected in production environments for months or years, passively spreading malware across countless systems.

What makes slopsquatting particularly insidious is that hallucinated packages appear legitimate. They often bear string similarity to real libraries, making them recognisable and trustworthy. Unlike simple typos that security registries can detect, AI-generated fictional package names bypass existing protections entirely. Threat actors can even conduct adversarial hallucination attacks, manipulating models to recommend specific malicious packages.

To protect against slopsquatting, developers must verify that all AI-recommended packages actually exist in official repositories before implementation. Organisations should implement automated validation checks against known registries, monitor for unusual package installations, and maintain current threat intelligence on slopsquatting campaigns. As AI becomes increasingly integrated into development workflows, vigilance and verification processes are essential to maintaining software supply chain security.

Fuente Original: https://venturebeat.com/security/forget-typosquatting-slopsquatting-is-the-software-supply-chain-threat-created-by-ai-coding-tools

Artículos relacionados de LaRebelión:

Artículo generado mediante LaRebelionBOT

No hay comentarios:

Publicar un comentario