this post was submitted on 01 Apr 2024
198 points (97.1% liked)

Technology

69913 readers
2004 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
198
AI bots hallucinate software packages and devs download them (www.theregister.com)
submitted 1 year ago by Stopthatgirl7@lemmy.world to c/technology@lemmy.world
10 comments fedilink hide all child comments
 

Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI.

Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency into a real one, which was subsequently downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned. If the package was laced with actual malware, rather than being a benign test, the results could have been disastrous.

all 12 comments
sorted by: hot top controversial new old
[–] conciselyverbose@sh.itjust.works 27 points 1 year ago (1 children)

Imagine that.

"Writing" code you don't understand is dangerous.

[–] anteaters@feddit.de 2 points 1 year ago

AI is the funniest shit - even better that NFTs.

[–] DingoBilly@lemmy.world 22 points 1 year ago (1 children)

And someone recently told me the Xz exploit doesn't matter because no developer is stupid enough to install beta releases to prod systems lol.

Laziness and/or low skills leads to a lot of IT failures.

[–] lambda_notation@lemmy.ml 1 points 1 year ago

Another way of looking at it; If there exist a release then it will be deployed to prod.

[–] 0xvalentin@lemmy.sdf.org 9 points 1 year ago

I am lazy too and admittedly have copy pasted code from an LLM but adding a new dependency without looking at a package registry seems crazy to me.

[–] autotldr@lemmings.world 4 points 1 year ago

This is the best summary I could come up with:

In-depth Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI.

Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency into a real one, which was subsequently downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned.

He created huggingface-cli in December after seeing it repeatedly hallucinated by generative AI; by February this year, Alibaba was referring to it in GraphTranslator's README instructions rather than the real Hugging Face CLI tool.

Last year, through security firm Vulcan Cyber, Lanyado published research detailing how one might pose a coding question to an AI model like ChatGPT and receive an answer that recommends the use of a software library, package, or framework that doesn't exist.

The willingness of AI models to confidently cite non-existent court cases is now well known and has caused no small amount of embarrassment among attorneys unaware of this tendency.

As Lanyado noted previously, a miscreant might use an AI-invented name for a malicious package uploaded to some repository in the hope others might download the malware.

The original article contains 1,143 words, the summary contains 190 words. Saved 83%. I'm a bot and I'm open source!

[–] aCatNamedVirtute@lemmy.world 2 points 1 year ago

Sorry, what?