Developers using AI tools like GitHub Copilot to generate code are introducing new supply chain risks. AI models often "hallucinate" code, creating fictional dependencies that can be exploited by attackers. These dependencies can be legitimate-looking but actually malicious, allowing attackers to inject malware into software supply chains.
The risk arises when developers unknowingly incorporate these AI-generated dependencies into their projects. Attackers can then exploit these vulnerabilities to compromise software and steal sensitive data.
Researchers have found that AI-generated code can reference non-existent packages, which can be registered by attackers and used to distribute malware. This highlights the need for developers to carefully vet AI-generated code and dependencies to prevent potential security breaches.
As AI becomes increasingly integrated into software development, it's crucial to address these emerging risks and ensure the security of the software supply chain.
