The Rise of Slopsquatting
socket.dev"registering a non-existent package name hallucinated by an LLM, in hopes that someone, guided by an AI assistant, will copy-paste and install it without realizing it’s fake."
Remember kids, AI is not your friend, it's a tool. Trust but verify. Always.
> Trust but verify
What does this mean?
It mean be polite. If I tell you that libfoo is super secure, accept that as true, continue to listen to the sales pitch, and then in the evening, look at the source for it so you can assert for yourself that it is secure.
Don't derail the whole thing by arguing that libfoo couldn't possibly be secure because x, y, and z, it's about getting to the vendors value proposition and not getting stuck in important but not-right-now details.
Never trust (software/code/people) until you have investigated it yourself.