Today in InfoSec Job Security News:
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
GitHub (github.com)
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog Consistency: so important
-
@GossiTheDog what's funny to me, is that there were influencers on linkedin a few days ago claiming claudecode could find vulnerabilities in code faster than humans, and they're like "look at all these openssl vulns it found!" now I'm like. "well no shit its finding vulnerabilities, when its the one introducing them."
-
R relay@relay.an.exchange shared this topic
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
GitHub (github.com)
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog sure, but it did that so much faster than a human could!
-
@GossiTheDog what's funny to me, is that there were influencers on linkedin a few days ago claiming claudecode could find vulnerabilities in code faster than humans, and they're like "look at all these openssl vulns it found!" now I'm like. "well no shit its finding vulnerabilities, when its the one introducing them."
@da_667 @GossiTheDog I will create the viruses and then sell my antivirus product to protect you
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
GitHub (github.com)
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
So a supply chain attack or actually genuine commits (or a mix as camouflage?) 🤯
-
@GossiTheDog so would you consider this mass accidents or a targeted supply-chain attack?
@DJGummikuh @GossiTheDog The purpose of a system is what it does. IMO these are not accidents.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
GitHub (github.com)
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog @davidgerard I asked it to put an OIDC flow into a confidential app. It worked! I mean, it also sent all of the secrets and access keys via the client… but someone not paying attention would probably just take it.
We’re going to see the dumbest security issues of our lives in the next couple of years, aren’t we.
-
@GossiTheDog @davidgerard I asked it to put an OIDC flow into a confidential app. It worked! I mean, it also sent all of the secrets and access keys via the client… but someone not paying attention would probably just take it.
We’re going to see the dumbest security issues of our lives in the next couple of years, aren’t we.
@ndevenish @davidgerard @GossiTheDog
Dumb security issues do not happen when poor code is injected into projects. Dumb security issues happen when pull requests are accepted without vetting. Keep in mind that humans have deliberately and accidentally introduced security issues into code bases far before AI.
You might rationale that anyone can fork a repo and then push to it all they want, and it will have its own git repo online. GitHub and GitLab tell you were the repo is forked from. When I fork a repo for personal use I only fork the original project (if it has not died and been passed on to another maintainers repo). It is not a good idea to use anyone else's repo that is not in sync with the official repo. That is akin to using software from just any download site on MS/Windows, it is asking for issues.
This is just my take on the situation. There are always going to be security issues. Our best line of defense is being aware of what we are doing.
-
R relay@relay.mycrowd.ca shared this topic
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
GitHub (github.com)
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog We need tools that scrape the list of repos that have accepted this shit, and either ban them or pin them to pre-slop versions/forks in dependency systems.
-
@GossiTheDog We need tools that scrape the list of repos that have accepted this shit, and either ban them or pin them to pre-slop versions/forks in dependency systems.
I agree with your concept as being a noble idea. I just do not see it as a realistic solution. These are my issues with your idea, and you may not agree with me that if fine. Your idea is that we make tools to scrape repos on git servers (and perhaps SVN as it is still used) and validate that it is accepting pull requests from AI. If I have understood you. My take on that is that if you are working on a project then you should be forking the main repository not some other person's random fork. Main repositories tend to be a lot more responsible in who they accept pull requests from. In any of these Claude infested repos was even a single one the projects actual main repository? I would guess no. If developers are practicing good OPSEC then this is a none issue. So we are adding strain on servers that is simply not required.
As developers we have a responsibility to our own integrity and are users to be sure that what we do release is as secure as we can make it. There is no such thing as completely secure software. It does not exist in reality.
It is easy to get upset at such events. Though in the big picture is not a real issue, it is one of those issues that will be self-healing. I do not know a single developer that would not check who commits, are they using security measures like commit signing, is the project secure as is. Before forking, if they wanted to use it as a base and it did not meet those criteria they would hard fork and not participate in the original repo. Keep in mind that there are projects out there entirely written by AI, I do not endorse them, but they do exist.
It is okay to not agree with me, I am okay with that. I do not feel as if we should be censoring source code for developers. I feel like we should be teaching them about good OPSEC & DEVOPs instead. Just my opinion.
Have a great day!
-
I agree with your concept as being a noble idea. I just do not see it as a realistic solution. These are my issues with your idea, and you may not agree with me that if fine. Your idea is that we make tools to scrape repos on git servers (and perhaps SVN as it is still used) and validate that it is accepting pull requests from AI. If I have understood you. My take on that is that if you are working on a project then you should be forking the main repository not some other person's random fork. Main repositories tend to be a lot more responsible in who they accept pull requests from. In any of these Claude infested repos was even a single one the projects actual main repository? I would guess no. If developers are practicing good OPSEC then this is a none issue. So we are adding strain on servers that is simply not required.
As developers we have a responsibility to our own integrity and are users to be sure that what we do release is as secure as we can make it. There is no such thing as completely secure software. It does not exist in reality.
It is easy to get upset at such events. Though in the big picture is not a real issue, it is one of those issues that will be self-healing. I do not know a single developer that would not check who commits, are they using security measures like commit signing, is the project secure as is. Before forking, if they wanted to use it as a base and it did not meet those criteria they would hard fork and not participate in the original repo. Keep in mind that there are projects out there entirely written by AI, I do not endorse them, but they do exist.
It is okay to not agree with me, I am okay with that. I do not feel as if we should be censoring source code for developers. I feel like we should be teaching them about good OPSEC & DEVOPs instead. Just my opinion.
Have a great day!
@unusnemo A repo that has AI slop anywhere it its git history isn't FOSS and has maintainers who have shown gross irresponsibility. Banning use of it as a dependency should not be controversial.
-
@unusnemo A repo that has AI slop anywhere it its git history isn't FOSS and has maintainers who have shown gross irresponsibility. Banning use of it as a dependency should not be controversial.
I do not think you read my comment, that is fine, I am not going to say that I agree to disagree with you because I never even broached the topic you responded with at all. Take care and have a great day, I can see this conversation is going nowhere. That if fine, we both have better things to do.
