问HN:Slopsquat CVE?
这个话题在周末的谈话中提到过,我想在这里和社交媒体上联系一下。理论上,可以将“slopsquatting”武器化,方法是创建多个(具体数量待定)在Github上的代码库,这些代码库使用一种可加载的包,该包承诺提供某种功能,但实际上却隐藏了一个后门,使得对手能够控制。通过填充这些代码库的管道,并利用垃圾机器人军队为它们制造“人气”,可以“注入”到CoPilot模型中,使得带有后门的包被视为某些常见编码“需求”的有效解决方案。如果这个被攻陷的包在某种程度上“有效”,即它能够完成所承诺的功能,直到有人要求它做不同的事情,那么它可能会潜移默化地迁移到非对手控制的代码库中,进而扩散到更大的网络中。
这算是疯狂的言论还是CVE(公共漏洞和暴露)?如今很难区分。
查看原文
This came up on conversation over the weekend and I thought I would reach out here and on social media. There is a theoretical way to weaponize slopsquatting, which is to create many (number to be determined) repositories on Github that use a loadable package that promises one thing but has a back door in it to enable an adversary to take control. By filling a pipeline of repositories, giving them "popularity" with a spambot army, one could "inject" into the CoPilot model that the package with the back door was a valid solution to some common coding "want." If the compromised package "worked" to the extent that it did what it said it does until someone asks it to do something different, it could conceivably migrate into non adversary controlled repositories and from there into the greater network.<p>So crazy talk or CVE? Hard to tell the difference these days.