The software development landscape has fundamentally shifted in the last three years. AI is becoming an increasing part of coding. There are some new kinds of attacks in the wild. Some of these attacks already have hallmarks of attacks which happened in the play store, chrome store, Firefox addons store, Microsoft store and every app store there is in the last decade.
The Python Package Index (PyPI) has become a particular target due to its popularity and relatively permissive upload policies. AI can now scan PyPI’s entire catalog, identify gaps in package naming, and create malicious alternatives faster than human moderators can review them. There is a button to report if a package is malicious, don’t know what the process is after that.
AI hallucinations to supply chain attacks #
There is a new kind of attack where the AI hallucinates packages and somebody goes vibe codes a package with malware or without malware and then keeps the packages available for package managers. These are known as Supply chain attacks.
AI enhanced Squatting #
Traditional typo squatting relied on developers making spelling mistakes when installing packages. Today, AI systems can analyze package ecosystems to identify the most profitable targets for malicious packages.
A typical workflow for supply chain attacks: #
- Generate convincing package names that appear legitimate at a casual glance
- Fork the code of the package and then keep it in Github
- Create realistic documentation and README files that pass casual inspection
- This can be done at scale by automating the creation of hundreds of malicious packages simultaneously across multiple package repositories
- Incorporate malicious code.
Domain and Repository Takeovers #
The modern software development and practices creates opportunities for attackers to inherit legitimate looking infrastructure. When developers abandon projects, their domains often expire. Monitor domain expiration dates and automatically register expired domains associated with popular packages, then serve malicious updates to existing installations. GitHub and GitLab repositories targets include Inactive maintainers, Organizations with lapsed accounts. Target the original package, get it removed, replace it with your bad code version. Once control is established, attackers can push malicious updates to packages that already have established trust and user bases.
Bad Pull requests #
Perhaps most insidiously, gradual poisoning of legitimate packages where an attacker gets into a package, does only good commits for a while and at some point push a change, when the lead developer is occupied or burnt out. Create commits that appear to fix bugs or add features while actually introducing vulnerabilities while Mimicking the coding style of legitimate maintainers to avoid detection
Solutions: #
The rise of AI driven supply chain attacks represents a fundamental shift in the threat landscape. Traditional defense such as code reviews, automated scanning, and community oversight are insufficient against attacks that are increasing sophistication. The only solution is being mindful, vetting out most of these sources, but also doing it at regular intervals.
For critical systems, software isolationism and reducing dependencies may be the only viable defenses. The inconvenience of writing custom code and accepting reduced functionality pales in comparison to the risk of compromise through poisoned dependencies.
The future of secure software may lie not in better supply chain security, but in eliminating supply chains altogether. In a world where any external dependency can be compromised by AI at scale, the most secure software is software that depends only on itself.
As developers, we must choose: convenience and rich functionality with significant risk, or isolation and simplicity with strong security guarantees. For systems that cannot afford compromise, the choice is clear: write it yourself, keep it isolated, and never let it see the light of day.