AI Code Packages Open Doors For Hackers, Study Finds - 1

man programming in the dark

AI Code Packages Open Doors For Hackers, Study Finds

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

AI-generated code often includes fake software libraries, creating new opportunities for hackers to exploit supply chains and compromise users across development platforms.

In a rush? Here are the quick facts:

  • AI code generators hallucinate non-existent software dependencies.
  • 440,000 hallucinated packages found in 576,000 AI-generated code samples.
  • Open-source models hallucinate 4x more than commercial ones.

Research indicates that AI tool-generated code creates substantial security vulnerabilities which threaten the software supply chain. The research, first reported by Ars Technica , indicated that large language models (LLMs) which operate similarly to ChatGPT systems generate fictional code dependencies which hackers can potentially use for malicious purposes.

Ars reports that the researchers evaluated 16 widely used AI models through the generation of 576,000 code samples. The analysis revealed that 440,000 package references were hallucinated because they pointed to non-existent code libraries.

The existence of these fabricated dependencies creates a significant security risk. Ars reports that attackers can identify repeated AI suggestions of package names to upload malicious packages with those names. The attacker gains control of a developer’s system when they unknowingly install the malicious code.

“Once the attacker publishes a package under the hallucinated name, containing some malicious code, they rely on the model suggesting that name to unsuspecting users,” explained Joseph Spracklen, a Ph.D. student at the University of Texas at San Antonio and lead researcher, as reported by Ars.

“If a user trusts the LLM’s output and installs the package without carefully verifying it, the attacker’s payload, hidden in the malicious package, would be executed on the user’s system,” Spracklen added.

The attack method tricks software into selecting a dangerous package version instead of the intended correct version, as reported by Ars. The dependency confusion attack affected major technology companies, including Apple, Microsoft, and Tesla, during previous testing.

The researchers discovered that open-source models, like CodeLlama, generated more hallucinated packages than commercial models did. The open models generated false code references at a rate of 22%, while commercial models produced hallucinations at 5% or less. The JavaScript programming language experienced more hallucinations than Python because it operates within a larger and more complex code ecosystem.

According to the study, these are not just one-off mistakes. The study reported that many fake packages appeared repeatedly in different tests, which makes them more dangerous because they can be targeted more easily by attackers.

Ars explains that attackers could exploit repeated fake package names by uploading malware under those names, hoping developers unknowingly install them.

Identity Security Company Veza Raises $108 Million, Backed By Snowflake, Atlassian, And Workday - 2

Photo by Annie Spratt on Unsplash

Identity Security Company Veza Raises $108 Million, Backed By Snowflake, Atlassian, And Workday

  • Written by Andrea Miliani Former Tech News Expert
  • Fact-Checked by Sarah Frazier Former Content Manager

The identity security startup Veza has raised $108 million in a recent Series D funding round, bringing its valuation to $808 million. The round was led by New Enterprise Associates and included participation from new investors as well as leading cloud companies such as Snowflake, Atlassian, and Workday.

In a rush? Here are the quick facts:

  • Veza raised $108 million in a recent Series D round, reaching a $808 million valuation.
  • The identity security startup will invest in go-to-market strategies and the development of its platform.
  • The company provides identity governance and administration tools to multiple companies.

According to the press release , Veza plans to use the new investment to expand its go-to-market strategies and further develop its products.

Founded in 2020 and headquartered in California, the startup has developed a platform that provides companies with identity governance and administration tools to track access across cloud environments. Its AI-powered software integrates with multiple platforms, helping protect data across diverse technologies.

Veza works with global clients such as Expedia and Wynn Resorts, managing identity security cases. In the recent funding round, additional tech companies joined the project, while existing investors—including Google Ventures, Capital One Ventures, and J.P. Morgan—also participated.

“Despite identity security being one of the most dynamic and critical sectors in cybersecurity, today’s legacy identity access providers are falling short of meeting modern security needs,” said Aaron Jacobson, Partner at New Enterprise Associates. “As enterprises prioritize secure and compliant data access, Veza has demonstrated unmatched product innovation and the ability to deliver impactful solutions for global organizations.”

Veza has shown significan growth in the past year, more than doubling its annual revenue compared to the previous period, securing new customers and large companies in multiple sectors such as retail, finance, and pharmaceuticals, and expanding its partnerships with previous clients. The company has over 190 employees worldwide and expects to hire over 30 new workers every quarter in 2025.

Veza has raised $108 million in Series D! This isn’t just a milestone for us—it’s a signal to the world that identity is at the center of cybersecurity. We’re grateful to our customers, investors, and community for backing our mission. https://t.co/FJxEjIsSAS pic.twitter.com/BBccsI3qW2 — Veza (@vezainc) April 28, 2025

“Identity used to be an IT function, but it has now become the leading battleground of cybersecurity, with almost every breach linked to credential abuse,” said Tarun Thakur, Veza Co-Founder and CEO. “Our latest funding is a wake-up call to the industry: the future of security starts with identity, and Veza leads the way.”

Indeed, identity has been a critical and growing concern. CrowdStrike’s latest Global Threat Report revealed that identity-based attacks are on the rise, and cloud services have become an attractive target for malicious actors.