ChatGPT Urges Developers to Address Supply-Chain Malware Attacks and Hallucinations Vulnerabilities

Hackers have discovered a vulnerability in the popular OpenAI language model ChatGPT that enables them to spread malware through the software supply chain. Researchers from cybersecurity firm Vulcan Cyber’s Voyager18 team have warned that attackers can exploit ChatGPT’s preference for returning false information to spread malicious code packages. In a blog post, the researchers revealed that hackers are able to create plausible yet bogus code packages through AI package hallucinations. Developers may inadvertently download these packages, building them into software that is then used by others. Attackers can take advantage of ChatGPT’s tendency to offer recommendations for unpublished or non-existent packages and create their own version of these packages — complete with malicious code. While it is difficult for developers to spot these fake packages, there are steps they can take, such as ensuring the libraries they download are what they say they are and checking dates and number of downloads.