Underground Market for LLMs Powers Malwa…

BackHallucinated Software Packages with Potential Malware Downloaded Thousands of Times by Developers

Hallucinated Software Packages with Potential Malware Downloaded Thousands of Times by Developers

Dec 1, 20234 reportsSeverity: MinorAssistantHigh confidence

Generative AI models hallucinated non-existent software package names which were then exploited by security researchers who created real packages with those names, leading to thousands of downloads by developers following AI recommendations.

Multiple generative AI models including GPT-3.5-Turbo, GPT-4, Gemini Pro, and Command were found to hallucinate non-existent software package names when providing coding assistance. Security researcher Bar Lanyado from Lasso Security demonstrated this vulnerability by creating a fake Python package called 'huggingface-cli' after observing AI models repeatedly recommend it. The package was uploaded to PyPI in December and by February, major companies including Alibaba had incorporated installation instructions for this fake package into their GraphTranslator project documentation. Research studies found that commercial AI models hallucinate package names about 5.2% of the time while open source models do so 21.7% of the time. In one comprehensive study of 16 LLMs generating 576,000 code samples, researchers identified 205,474 unique hallucinated package names. The fake 'huggingface-cli' package created by Lanyado was downloaded thousands of times by developers following AI recommendations. While Lanyado's package was benign, the incident demonstrates how malicious actors could exploit this vulnerability by creating malware-laden packages using AI-hallucinated names, a technique dubbed 'slopsquatting' by security experts.

Domain classification, causal taxonomy, severity scores, and national security assessments were LLM-classified and may contain errors.

Risk Domain

3Misinformation

3.1False or misleading information

AI systems that inadvertently generate or spread incorrect or deceptive information, which can lead to inaccurate beliefs in users and undermine their autonomy. Humans that make decisions based on false beliefs can experience physical, emotional or material harms

Causal Classification

Entity

AI system

Due to a decision or action made by an AI system

Intent

Unintentional

Due to an unexpected outcome from pursuing a goal

Timing

Post-deployment

Occurring after the AI model has been trained and deployed

Harm Severity Assessment

Highest Score:2 — Minor(Toxic or Malicious Content, inferred)

National Security Assessment

Overall Score(2/5)

Stakeholders

Developers: OpenAI, Google, Cohere, Meta, Deepseek AI, Bigscience
Deployers: Developers Using AI Generated Suggestions, Bar Lanyado
Harmed Parties: Developers And Businesses Incorporating AI Suggested Packages, Alibaba, Organizations That Incorporated Fake Dependencies, Software Ecosystems, Users Downstream Of Software Contaminated By Hallucinated Packages, Trust In Open Source Repositories And AI Assisted Coding Tools

AI System Classification

Primary Purpose: Code Generation
Secondary Purpose: Writing Assistant
Behaviour Type: Assistant
EU AI Act Risk Level: 3 Limited Risk
Occurrences: 1

Population Impact

Reportedly Exposed: 1,000

External Links

View on AI Incident Database