Published on: 2025-04-30 02:19:29
A new class of supply chain attacks named 'slopsquatting' has emerged from the increased use of generative AI tools for coding and the model's tendency to "hallucinate" non-existent package names. The term slopsquatting was coined by security researcher Seth Larson as a spin on typosquatting, an attack method that tricks developers into installing malicious packages by using names that closely resemble popular libraries. Unlike typosquatting, slopsquatting doesn't rely on misspellings. Instead
Keywords: ai hallucinated names package packages
Find related items on AmazonPublished on: 2025-04-30 00:22:35
The rise of AI-powered code generation tools is reshaping how developers write software - and introducing new risks to the software supply chain in the process. AI coding assistants, like large language models in general, have a habit of hallucinating. They suggest code that incorporates software packages that don't exist. As we noted in March and September last year, security and academic researchers have found that AI code assistants invent package names. In a recent study, researchers found
Keywords: ai code hallucinated package packages
Find related items on AmazonPublished on: 2025-05-01 18:40:26
Fedora change aims for 99% package reproducibility Ready to give LWN a try? With a subscription to LWN, you can stay current with what is happening in the Linux and free-software community and take advantage of subscriber-only site features. We are pleased to offer you a free trial subscription, no credit card required, so that you can see for yourself. Please, join us! The effort to ensure that open-source software is reproducible has been gathering steam over the years, and gaining traction
Keywords: build fedora package packages reproducible
Find related items on AmazonPublished on: 2025-05-06 11:20:27
is platforms and communities reporter with five years of experience covering the companies that shape technology and the people who use their tools. Donald Trump is making it even more expensive for US consumers to shop online from Chinese retailers like Temu and Shein. In an executive order amendment published Tuesday night, Trump raised the tariff rate for packages valued under $800 entering the US from China and Hong Kong that previously were exempt. The increase essentially triples what sho
Keywords: china packages percent tariffs trump
Find related items on AmazonPublished on: 2025-05-10 07:22:27
I rebuilt (the top-50 popcon) Debian and Ubuntu packages, on amd and arm64, and compared the results a couple of months ago. Since then the Reproduce.Debian.net effort has been launched. Unlike my small experiment, that effort is a full-scale rebuild with more architectures. Their goal is to reproduce what is published in the Debian archive. One differences between these two approaches are the build inputs: The Reproduce Debian effort use the same build inputs which were used to build the publi
Keywords: build debian packages rebuild stage
Find related items on AmazonPublished on: 2025-05-14 12:38:58
With President Donald Trump’s new tariff plan, your online shopping packages coming directly from China are about to get much more expensive. In February, the Trump administration moved to get rid of a little-known rule that allows US consumers to avoid tariffs on low-value packages. The de minimis exemption meant that packages valued under $800 could enter the US duty-free, and shoppers — as well as retailers — relied on the exemption regularly, even if they didn’t realize it. Nearly 1.4 billi
Keywords: china coming exemption minimis packages
Find related items on AmazonPublished on: 2025-05-15 03:38:58
With President Donald Trump’s new tariff plan, your online shopping packages coming directly from China are about to get much more expensive. In February, the Trump administration moved to get rid of a little-known rule that allows US consumers to avoid tariffs on low-value packages. The de minimis exemption meant that packages valued under $800 could enter the US duty-free, and shoppers — as well as retailers — relied on the exemption regularly, even if they didn’t realize it. Nearly 1.4 billi
Keywords: china coming exemption minimis packages
Find related items on AmazonPublished on: 2025-05-16 05:43:16
A driver for an independent contractor to FedEx delivers packages on Cyber Monday in New York, U.S, on Monday, Nov. 27, 2023. President Donald Trump on Wednesday signed an executive order shutting the de minimis trade loophole, effective May 2. Trump in February abruptly ended the de minimis trade exemption, which allows shipments worth less than $800 to enter the U.S. duty-free. The order overwhelmed U.S. Customs and Border Protection employees and caused the U.S. Postal Service to temporaril
Keywords: customs minimis packages shipments trump
Find related items on AmazonPublished on: 2025-05-25 19:22:41
Ten npm packages were suddenly updated with malicious code yesterday to steal environment variables and other sensitive data from developers' systems. The campaign targeted multiple cryptocurrency-related packages, and the popular 'country-currency-map' package was downloaded thousands of times a week. The malicious code was discovered by Sonatype researcher Ali ElShakankiry and is found in two heavily obfuscated scripts, "/scripts/launch.js" and "/scripts/diagnostic-report.js," which execute
Keywords: downloads malicious npm packages version
Find related items on AmazonPublished on: 2025-05-29 11:00:00
Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. This way, even if the victim removes the malicious packages, the backdoor remains on their system. The new tactic was discovered by researchers at Reversing Labs, who warned about the risk it entails, even if the packages weren't downloaded in large numbers. "It's not unusual to encounter downloaders on npm; they are may
Keywords: ethers legitimate npm package packages
Find related items on AmazonPublished on: 2025-06-21 17:42:19
Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus. The packages, which have been downloaded 330 times, are designed to steal account credentials, deploy backdoors on compromised systems, and extract sensitive cryptocurrency information. The Socket Research Team discovered the campaign, which linked it to previously known Lazarus supply chain operations. The threat group is known for pushing malicious packages i
Keywords: code malicious malware package packages
Find related items on AmazonPublished on: 2025-07-07 17:00:00
The software supply chain is notoriously porous: a reported 81% of codebases contain high- or critical-risk open source vulnerabilities. A single vulnerability can have a far-reaching impact on the wider software supply chain, as evidenced by the likes of the Log4Shell exploit that saw millions of applications exposed to potential remote code execution hacks via the Log4j logging library. Northern Irish startup Cloudsmith is setting out to solve this exact problem with its cloud-native “artifac
Keywords: cloudsmith package packages software source
Find related items on AmazonGo K’awiil is a project by nerdhub.co that curates technology news from a variety of trusted sources. We built this site because, although news aggregation is incredibly useful, many platforms are cluttered with intrusive ads and heavy JavaScript that can make mobile browsing a hassle. By hand-selecting our favorite tech news outlets, we’ve created a cleaner, more mobile-friendly experience.
Your privacy is important to us. Go K’awiil does not use analytics tools such as Facebook Pixel or Google Analytics. The only tracking occurs through affiliate links to amazon.com, which are tagged with our Amazon affiliate code, helping us earn a small commission.
We are not currently offering ad space. However, if you’re interested in advertising with us, please get in touch at [email protected] and we’ll be happy to review your submission.