Latest Armis Labs Report Uncovers New Security Risks of AI Coding

Artificial intelligence coding assistants promise to make developers more productive. But the new research report from Armis Labs, Catch Attackers Before They Strike: Early Warning Insights for Software Supply Chain Attacks, reveals a troubling side effect: these tools are creating fresh pathways for cyberattacks through phenomenons like slopsquatting and vibe coding.

These emerging threats exploit a quirk in how AI models work. When coding assistants suggest non-existent software packages, attackers can register these fake packages and inject malicious code. The result? Developers unknowingly install malware directly into their projects.

Slopsquatting represents a new evolution in software supply chain attacks. Unlike traditional methods that required infiltrating trusted vendors over months, this approach bypasses traditional security measures because the malware comes disguised as legitimate dependencies suggested by trusted AI tools.

The threat isn’t theoretical and several concerning examples have been documented, including a package masqueraded as an add-on for a popular cryptocurrency trading library. It was designed to reroute trading orders to a malicious server and steal tokens. The package was downloaded over 1,000 times before removal.

The “Vibe Coding” Problem

The risk is amplified by what security researchers call “vibe coding” – rapid prototyping and deployment with minimal peer review. Organizations demand speed and agility, leading developers to rely heavily on AI suggestions without thorough verification. The report shows that all tested AI platforms exhibited “very high” to “extreme” security risks. No platform delivered security aligned with OWASP or NIST standards.

Top 25 Software Supply Chain Attacks

Through a combination of human intelligence, dynamic deception technology and AI/ML that detects threat actor behaviors before actual exploitation, our team identified the most dangerous software supply chain attacks currently active. Our research shows attackers are becoming more sophisticated. They’re targeting widely-used libraries across multiple programming languages and using increasingly subtle methods to hide malicious code.

The Path Forward

The rise of AI coding tools creates both opportunities and risks. While these tools can boost productivity, they also introduce new attack vectors that traditional security measures weren’t designed to handle.

Organizations need to adapt their security practices for an AI-driven development environment. This means combining the benefits of AI assistance with rigorous human oversight and automated security controls.

The key is finding the right balance. Teams can harness AI’s power while maintaining the security vigilance necessary to protect against sophisticated supply chain attacks.

Ready to learn about emerging trends in software supply chain attacks and get your hands on the top 25 risks identified by Armis Labs? Get your report copy today.