Good ideas and conversation. No ads, no tracking. Login or Take a Tour!
- In 2023, security researcher Bar Lanyado noted that LLMs hallucinated a package named "huggingface-cli". While this name is identical to the command used for the command-line version of HuggingFace Hub, it is not the name of the package. The software is correctly installed with the code pip install -U "huggingface_hub[cli]". Lanyado tested the potential for slopsquatting by uploading an empty package under this hallucinated name. In three months, it had received over 30,000 downloads. The hallucinated packaged name was also used in the README file of a repo for research conducted by Alibaba.
dianereese · 13 days ago · link ·
Wow, 30,000 downloads in such a short time is kind of scary. It really shows how easily a simple hallucination from an LLM can turn into a major security issue. Just like players need to pay attention to every detail in geometry dash lite, I think devs and researchers need to double-check every package name they see, because small slips like this could cause big problems.