Fed up with vibe coders, dev sneaks data-nuking prompt injection into code
Ars Technica AI4d agoIncidentArs Technica reports that a developer frustrated with vibe coders slipped an undisclosed prompt injection into jqwik-related code. The injected text allegedly instructed AI coding agents to delete application output. The incident highlights a new supply-chain risk: source code and project text can become adversarial instructions for agentic coding tools.
Millions of AI agents imperiled by critical vulnerability in open source package★ 78
Ars Technica AI6d agoIncidentArs Technica reports that Starlette, a Python package with about 325 million weekly downloads, has a critical vulnerability called BadHost. The flaw can let crafted Host headers confuse request.url.path, potentially bypassing middleware-based path authorization. AI infrastructure using FastAPI or Starlette, including vLLM, LiteLLM, MCP servers, LLM proxies, and agent frameworks, should upgrade Starlette and audit custom middleware.
Hugging Face and JFrog partner to make AI Security more transparent★ 70
Hugging Face Blog455d agoBusinessHugging Face 與軟體供應鏈安全領導廠商 JFrog 展開戰略合作。雙方將整合 Hugging Face 的開源模型生態系與 JFrog 的安全平台,讓企業在引進 AI 模型時能進行自動化漏洞掃描與惡意代碼檢測。此舉旨在解決 AI 供應鏈中的安全隱憂,讓 AI 開發流程更加透明且符合企業合規要求。
2024 Security Feature Highlights★ 75
Hugging Face Blog665d agoReleaseHugging Face 發布 2024 年安全功能亮點,展示其在保護開源 AI 生態系上的多項努力。平台引入了自動化惡意軟體與 Safetensors 安全掃描、敏感金鑰(Secrets)偵測,並與 Sigstore 合作推出模型加密簽章。此外,也強化了細粒度存取權限(Scoped Tokens)與多因素驗證(MFA),為開發者與企業提供更安全可靠的模型託管環境。