If malware is massively prolific in public repos, how much does this affect LLMs and other automation tools that are trained using the contents of such resources? What are the chances that we'll see copilot & friends occasionally emit malware in response to coding questions that generate responses long enough for accidentally malicious parts to hide amongst? Simpler vulnerabilities such as simple injection vectors have often been seen already.

Or just pay or threaten a struggling company or dev to insert them?

easier to clone and infect existing ones. what you are describing might be effective but would be orders of magnitude more time consuming.

cloning and infecting provides 100x more opportunities because these are already popular repos

as to paying or coercing someone, again it costs time and money. far easier to just abuse this loophole

It also seems dangerous in the sense that… if there’s a type of prompt that is likely to create infected code, our intelligence agencies would, I guess, want it to hit our adversaries selectively. So they’ll have more rolls of the dice to detect it. So, it is actively creating a situation where our adversaries are more likely to have knowledge of the vulnerabilities.

As you've pointed out, this vector would give them near surgical precision and insight into their target's code & systems, rather than casting a wide net with a vulnerable library on Github. They could use a model trained on "underhanded" code or even selectively overwrite parts of the responses with hand-crafted vulnerabilities while only targeting select organizations.

It makes me wonder what the business model of OpenAI and their peers is going to be over the long term. I can't imagine large corporations using "LLM as a service" indefinitely with the risk of IP theft and "bug injection".

[0] https://en.wikipedia.org/wiki/Underhanded_C_Contest

I've gotten that a few times and it's nice to know it's not a limitation of the LLM.

0: https://pncnmnp.github.io/blogs/translating-dijakstra.html

https://news.ycombinator.com/item?id=39549482

“we show how an attacker could compromise the Hugging Face Safetensors conversion space and its associated service bot. These comprise a popular service on the site dedicated to converting insecure machine learning models within their ecosystem into safer versions.”

Using LLMs means investing more effort in code review. I think that's a worthwhile trade.

Why review code at all if you think your coworkers are infallible?

It looks like there’s been a communication hiccup or something; I think you are saying that the LLM user should treat LLM code as if it is written by an unreliable team-mate who might copy-paste from the internet, and check it.

Jprete seems to be talking about just receiving a PR from a person who didn’t do that checking and just directly is using the LLM code.

I agree with you, but I think it is worth noting that

> This is not a worthwhile trade

> It's a worthwhile trade

The difference here is not in whether or not the trade is worthwhile; you are just talking about two different trades .

I don't think it's OK for a coworker to contribute a PR generated by an LLM without having already reviewed it and being ready to declare that they are confident in its quality.

1. Internal instructions telling the generator to avoid exactly that. We wouldn't want to rely on this alone though.

2. Due to LLMs nature, it's unlikely that such generated malicious code would repeat addresses of actual malicious actors. This still leaves a variety of attack vectors such as bind shell, dos, on-site exfiltration, and more.

You don't need tools in the age of AI, just ass an AI pipeline step.

Of course if this is underhanded code (not to be confused with obfuscated - I won't accept obfuscated code from LLMs) I might miss things.

Given the way LLMs are trained, it might be unlike but it is conceivable that if they see deliberate back doors injected into enough of the training data, they'll consider it to be a valid part of a certain class of solution and output the same themselves. It is a big step again from deliberate back-doors to active malware, but not an inconceivable one IMO if large enough chunks of code are being trusted with minimal testing.

Given that LLMs are popular coding assistants, I suspect there are already many issues similar to `goto fail;`

When Amazon has "the everything store" as main strategic goal, they get hit by "90% of everything is junk". So they end up being a store of mostly junk.

Github should figure out if their product is "a repository for everybody" or it is "I can trust this code".

E.g. look at the official PG JDBC: nothing here couldn't be reproduced by a spammer. How do I know that I can trust this and that it is not an infected repos? https://github.com/pgjdbc

I'm pretty sure they decided on "repository for everybody" when they first launched the company 16 years ago.

For extra piece of mind, you can also check the GPG signatures as all artifacts are signed when published to Maven Central... you need to get the key used by Postgres to sign that somehow independently from Sonatype. That's a downside of this mechanism, you just need to know for each publisher, where to get their GPG keys from. In the case of PG, I couldn't even find it with a quick google search.

    SELECT uniqHLL12(repo_name) FROM github_events;

    361648383

The article reaches the 100K number by searching for repos with patches with a particular string contained in this specific attack, so it's likely missing many malicious repos that use different methods of infection.

As a developer I have to do some due diligence about where I'm getting my data from. If I'm slurping in random repos because the name matches that's a people problem, not a github specific problem.

It's why the JavaScript ecosystem of micro packages is absolutely insane. If someone infected isEven, they'd have a blast radius of 90% of JavaScript devs.

It's much like having a single password protecting everything. JavaScript has way too many of these high value packages that find their way into every modern JavaScript project.

Trust mechanisms in GitHub/etc can’t solve the whole problem, for sure.

But some automated safety mechanisms at scale can reduce the risk for those who don’t follow perfect security practices, which has value to the world at large.

Very few of us have the capacity to do even cursory validation for every update to every dependency of every bit of software we use.

The main benefit of reusing software packages is that you don’t want to spend the effort of writing/reviewing all the internals of the component.

At some point, to trust an abstraction blindly, you need to instead follow reputation. Who has authority to say what is reputable or not is the difficult dilemma.

As seen with CVE authorities lately, it’s not easy. As much as they undermine their own authority by declaring everything as a CVE, vice versa, declaring every org in GitHub as “Verified” may eventually be easy for scammers to get as well.

Back in the days, just having an SSL certificate on your web site was a big stamp of trust. Now everybody has it and it doesn’t mean anything.

what might be better would be some kind of trust layer built into package managers so they (optionally) only allow verified repos to be installed

Obviously it's hard to make a one-size-fits-all solutions, bottom line is that if you use third party code for anything serious you have to do your due diligence from a security pov, a vulnerability assessment at the bare minimum.

Lots of big companies are in fact maintaining their own versions of whole package ecosystems just to manually address any security concern, which is a crazy effort.

Even tho we don't currently target any npm releases, I make use of socket.dev to monitor my project by creating an npm release for it. But my project BrowserBox (lightweight virtualized web browser) only uses ~800 dependencies including all descendents, with only 19 top-level deps (cool your heels non-JavaScript folks, this is comparatively lightweight for a full stack boing).

I'm considering just snapshotting all 800 deps into a @browserbox namespace at npm. And then tracking any vulnerabilities discovered and patching the fixes.

It sounds crazy, but that's where we are. At least that way I "own" all the dependencies and can guarantee (up to company security at least) that we don't have supply chain vulns on the Node/JS side.

https://socket.dev

https://github.com/BrowserBox/BrowserBox

Austral uses linear types to give fine grained permissions to dependencies. A graphics library doesn't need file io, a network transport library doesn't need microphone access. That is just a mitigation, but it would be nice to see in other languages.

I was horrified to see how much time I started spending fussing with dependency hell after I moved from .NET to Java about 10 years back. And I am currently horrified by how much time I have to spend doing vulnerability updates and fussing with dependency hell in both Java and Python projects nowadays.

I think maybe the reason I didn't have this problem to nearly the same extent in .NET is that .NET was relatively late to the automated package management scene. NuGet is relatively young, and, as of the last time I got paid to do .NET work, very few of the projects I worked on had actually adopted it yet. So, at least back then, .NET had a stronger culture of well-focused projects that didn't take on enormous transitive dependency trees.

I would also compare this to the recent news about Boeing. Theories abound about why it's gone down the tubes. The one that I find most compelling, though, is that, over the past couple decades, they have focused on moving more of their production out to third-party suppliers, and also cost optimizing their outside supply chain. And that has made their supply chain increasingly difficult to actually manage. The details are different, but in broad strokes it looks a lot like modern software engineering culture regarding supply chain - and some have even argued that this is where Boeing got the idea.

Meanwhile, the place I've worked where I found dependency management to be the least annoying - and where we had the fewest problems with quality - was a financial firm that had banned package managers for supply chain security reasons. There's something to be said for code that absolutely will not change unless you explicitly change it. I've heard similar sentiments expressed by friends and acquaintances who work at Google.

We did write a lot of stuff for ourselves where others would just import a package, and that was good, too. The in-house implementation would do just what we need, and be held to a higher coding standard. So it was easier to understand, easier to debug, and easier to modify as requirements change. And here's the thing: writing it in the first place is a one-time cost, and one-time costs have good amortization characteristics. The recurring costs of dealing with code that's trying to be everything to everybody can easily be greater in the long run. They generally don't amortize; they compound.

Rich Hickey really got me to see how this kind of phenomenon works in his talk "Simple made Easy." Long story short, simple is different from easy. The simpler option tends to look harder up front. But it also tends to be easier in the long run, after you give second-order effects some time to take their toll.

First all those dependences you pull in aren't necessarily dependencies because they are done at the package level. If I use one class/function from package A, I may not need any of the package A sub-dependencies - yet these package managers will pull them in recursively down the tree.

Second you are trading control for having somebody else manage version dependencies - not sure that saves you time in the end - especially if you took an approach that didn't pull in unncessary dependencies in the first place.

It was a build system which was a pure pleasure to work with, last not least I think because it did not try to solve problems which turn out intractable in the general case.

They are not going to have these supply-chain issues.

Oh boy. That's just the first gate of hell. You should try JS!

When I was in my teens and 20s, I enjoyed complexity, because understanding complicated things made me feel smart. That meant I had an incredible tolerance for needless complexity.

Now that I've been around the block a few times, though, I just don't have patience for that kind of thing anymore. It all reminds me of the Wallace and Gromit cartoons. Wallace is a very smart and clever inventor, and his inventions are very smart and very clever and very silly.

The complexity of digital life takes on dimensions that make me doubt whether it can continue in the long term.

All this digital stuff falls naturally to me, but for the most part, people my age and older really don't cope well with the digital world. I'm an exception because I got my feet wet in the mini/timesharing environment, just as personal computing was beginning to take off, and didn't lose interest.

Also, how well are we really teaching the next generation? I see both good and bad in that regard, with Pi, Arduino, etc. being the brightest spot, and locked-down ecosystems and pervasive surveillance the darkest.

And, of course, there's the whole culture problem. The notion of "computer literacy" went from "knowing how to use a computer" to "knowing how to use Word and Excel" almost overnight. Are schools actually using things like the Pi and Arduino, or are we leaving it to parents to get such things into their hands?

Gen Z here checking in to say almost entirely the latter :/ .

Some schools have an elective that would get things into the hands of kids, but nowhere near 100% and they generally have a pretty low coverage of students at the school.

theoretically.

in practice the added latency is a problem outside of casual use.

update: clarification seems to be neccessary as i was talking about audio/video/gaming type workload, NOT office stuff

Cloud gaming will probably be the next frontier in this.

It was a bad enough experience, that it is now a part of my interview questions if the company works through remote desktop solutions.

I believe that thats your experience. Its not really because the technology is improving though, its because you're growing older.

The latency is absolutely horrendous, and anyone thats used to a decently performing system will not agree with your opinion.

As a simple example: i can easily code 6+h with no break on a good system, with these mainframe system i'm gonna take a break at least every hour because the fatigue builds up so quickly. Its every little interaction, simple input that doesn't appear for 50+ms, switching owrkspaces thats delayed for 150+ms.

https://danluu.com/input-lag/

Not to mention that it's ridiculously wasteful.

But you're right, one shouldn't automatically assume that streaming is more wasteful than letting the resources sit idle... (one issue here is the assumptions about how fast computers are replaced for consumerist reasons ?)

(And this would still leave the issue of the loss of ownership.)

That said, I think we either need proper OS level sandboxing, something like Qubes or just using multiple VMs or devices with remoting. It doesn't feel viable to have something like Discord or other communication software or things with account tokens, and executables like software or games running on the same install, whereas dual booting isn't viable for that either.

So maybe cool for people with itches or startup aspirations, more hassle for everyone else.

I hate to call it out, but, isn’t that table stakes? Blending work and personal environments should be an obvious no. Are employers out there ok with this?

It depends on where you work, how much people will care and whether there are resources to do anything about it.

I think the issue probably isn't uncommon for freelancers/contractors too.

Hobby and personal stuff I think a lot of people mix, I don't use the machine where I do bank/tax/etc stuff for hobby work, but I'm not sure that's common.

[1] https://github.com/jrz/container-shell

Have they managed to get rid of Xorg and the terrible screen tearing issue that should be a thing of the past in 2023? I remember there was a project named SpectrumOS that tried to do something similar to QubesOS but with nixos, crosVM and wayland. AFAIK the project stalled.

I am using a sort of middle ground between traditionnal desktop and QubesOS. I run a number of VMs on my machine for different purpose and use waypipe to start apps as individual windows on the main desktop. I don't really have the copy/paste separation that QubesOS has, nor a separation between host and network VM but at least I can separate duties, filesystems and seamless windows showing on only one desktop. To distinguishes the browser and terminal windows I use different themes.

https://github.com/QubesOS/qubes-issues/issues/5104

https://github.com/QubesOS/qubes-issues/issues/7591

If not, try this: https://github.com/QubesOS/qubes-issues/issues/6880#issuecom...

There is no tearing on my Librem laptops.

It is the first time I hear about that Tearfree option and I am wondering. If it exists and it isn't the default behavior, it means there must be some annoying drawbacks right?

We are a pretty small team developing SDKs that have a pretty large amount of weekly download. I’ve been evaluating tools such as snyk, aikido.dev, and some solutions built on top of renovate (that we already use for general dependency management), it’s not obvious if they would help with this, and given we are still tiny dealing with a large amount of false positive (that was the case with snyk) is a pain. Just curious how others are dealing with this.

Good as they'll be in detecting vulnerabilities, you are still unprotected from malicious code planted in your code bases.

Sonatype does if you pay $$$ for Firewall, but that only catches things installed via a package manager.

1. https://github.com/ossillate-inc/packj

This only works for published dependencies, but based on a couple years experience it works really well. No issues with malware (so far), we don't let packages with known vulns into our codebases and we are notified if a vuln is discovered in something we use.

[0] https://trivy.dev/

aka the whole "just run 'curl https://somesite/install.sh' | sudo sh" to install our software

Seems like it'd go very hand in hand with this infected stuff mentioned in the article.

`go get` is the only common dependency downloader I am currently aware of where hostile code doesn't run at install or build time.

I think we need better tooling for working in sandboxes, to at least compartmentalize the explosion. ChromeOS's "virtual machines can open Wayland windows on the main desktop" trick is neat, but the code needed to do that was less than clean or reusable when I last looked.

Maven is the same way, AFAIK.

https://blog.uirig.com/getting-rid-of-npm-scripts

the only real solution is a reputation system (like https://github.com/crev-dev/cargo-crev ), which of course is unfortunately barely used

[1a] https://code.visualstudio.com/docs/devcontainers/create-dev-... [1b] https://github.com/codespaces [2] https://www.welivesecurity.com/en/eset-research/lazarus-luri... [3] https://cheatsheetseries.owasp.org/cheatsheets/NodeJS_Docker... [4] https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_...

> However, when I downloaded and Extract it,[...] it stole my personal information and files.

Well, I don't see where is the problem here. The repo is doing exactly what it claims

If you're a potential customer for something like this, you quickly have to ask: why not have another 1000 contracts to separate tiny startups that each do the bare minimum to paper over an unknown portion of just one security gap? What other costs will you incur integrating with each of them in turn? How many of them will even still be in business a year later?

There would be several hundred with more ROI than this one, so why start here? Even if you undertake this costly and tedious journey, how far down the list would you have to go before you get anywhere close to this one?

(I do agree with your point that Github should be better at displaying which repo is the official one for a project.)

I know what an unpopular opinion this is, with the HN crowd, but I think we need to completely reevaluate our dependence on dependencies.

I have run into people that Literally. Can't. Write. Code, without dependencies. Their skill is at passing LeetCode tests, and googling for dependencies. Their bosses like them, because they pass the interviews with flying colors, and get results really quickly.

I remember, a number of years ago, attending a meetup, promising to explain GraphQL, and, instead, it was a lecture on using a JavaScript GraphQL wrapper. I don't think that two minutes were devoted to the API, itself. I seemed to be the only person in the room, that was going "Whiskey Tango Foxtrot?"

For myself, I use a lot of dependencies, but I wrote almost all of them, myself. I have spent years, building a library of SDKs and modules that I can integrate into my shipping projects.

I have only two external dependencies, in my current projects. These are not ones that would kill me, if I was forced to go alone, but they do save a lot of time (an Apple Keychain wrapper in Swift, and a streaming JSON parser in PHP, for the record).

You mean despite its (financial) resources?

So, folks adopt the (admittedly ridiculous, but, in the strict sense, necessary) 0-trust step of running everything in QubesOS, then in a VM, and maybe then in Docker.

Essentially each application gets its own fresh OS to fuck up or not...as it goes.

I get this (but I don't condone it). It's not practical for dev purposes, only if you are endlessly testing the waters for each little thing. But, prolly, eventually we will be wowed by a shiny-thing that achieves infinity-virtualization with bare metal performance but perfect isolation so we can easiily run

  infinvm run github.com/malware/repo

We ain't there yet tho. Hahaha :)

You probably instead should use a throwaway computer (or VM if you trust them), and not do anything personal on that computer, and then burn it.

With HTTPS, everything is already checked in transit, so you don’t need to verify it again.

On top of that, with git, all the revisions are inherently verified as sha1 hashes.

In either case, what’s inside may still be malicious if you end up on a typosquatted repo.

For example, if you use bots to spam Wordpress blogs with comments that contain links to your site (black hat SEO), that is obviously a bad thing to do, but I'm not sure if it's even against a law.

"The ease of automatic generation of accounts and repos on GitHub and alike, using comfortable APIs and soft rate limits that are easy to bypass, combined with the huge number of repos to hide among, make it a perfect target for covertly infecting the software supply chain. This campaign, along with dependency confusion campaigns plaguing package registries and generally malicious code being spread through source control managers, demonstrates how fragile software supply chain security is, despite the abundance of tools and available security mechanisms."

There seems to be a fundamental trade-off at play. I often see security portrayed as a hindrance, requirements thereof as a drag on productivity. That is in line with a strong trend in developers with a very narrow skill set. The ability to throw framework at the wall and see what sticks pays very well. No one wants a stick in the mud asking why on Earth dependency management is at the state it is, or imposing reasonable security practices. I have been there, I have argued with developers from teams that had been breached before saying "no, this is safe because I can't see how this could be exploited". Security by obscurity so deeply ingrained one takes obscurity from oneself as evidence of safety.

CISA[0] might be a good agency to begin with, if for no other reason than to find a more appropriate one to contact.

0 - https://www.cisa.gov/about