Incident 731: Hallucinated Software Packages with Potential Malware Downloaded Thousands of Times by Developers

Description: Generative AI hallucinated non-existent software packages, which were then created and uploaded (as an experiment) by security researcher Bar Lanyado. One such package, "huggingface-cli," was downloaded over 15,000 times, including by large companies like Alibaba. Regardless of the framing of it as an experiment, this incident is an example of harm caused by AI-generated hallucinations in coding, as the fake packages were still distributed widely and with potential malware.

Tools

New Report New Response DiscoverView History

Entities

View all entities

Alleged: Bar Lanyado developed an AI system deployed by Developers using AI-generated suggestions and Bar Lanyado, which harmed Developers and businesses incorporating AI-suggested packages and Alibaba.

Incident Stats

Incident ID

731

Report Count

Incident Date

2023-12-01

Editors

Daniel Atherton

Incident Reports

Reports Timeline

AI hallucinates software packages and devs download them – even if potentially poisoned with malware

theregister.com

theregister.com · 2024

Several big businesses have published source code that incorporates a software package previously hallucinated by generative AI.

Not only that but someone, having spotted this reoccurring hallucination, had turned that made-up dependency in…

Variants

A "variant" is an incident that shares the same causative factors, produces similar harms, and involves the same intelligent systems as a known AI incident. Rather than index variants as entirely separate incidents, we list variations of incidents under the first similar incident submitted to the database. Unlike other submission types to the incident database, variants are not required to have reporting in evidence external to the Incident Database. Learn more from the research paper.