A developer asks their AI coding assistant for a Python package to handle JWT validation. The AI recommends python-jwt-validator with a confident description of its API, usage examples, and a note that it has over 2 million weekly downloads. The developer runs pip install python-jwt-validator. The package installs. The code runs. Six weeks later, a security audit finds that the package exfiltrated environment variables to an external server on every import. python-jwt-validator doesn't exist in any AI training data as…
No comments:
Post a Comment