I'm assuming you are talking about agents like claude-code and open-code which rely on GPT functions (AKA Large Language Models).
The reason they don't detect these risks is primarily because these risks are emergent, and happen overnight (literally in the case of axios - compromised at night). Axios has a good reputation. It is by definition impossible for a pre-trained LLM to keep up with time-sensitive changes.
I mean that agents can scan the code to find anything "suspicious". After all, security vendors that claim to "detect" malware in packages are relying on LLMs for detection.
An LLM is not a suitable substitute for purpose-built SAST software in my opinion. In my experience, they are great at looking at logs, error messages, sifting through test output, and that sort of thing. But I don't think they're going to be too reliable at detecting malware via static analysis. They just aren't built for that.
You don't want "project had X users so it's less safe" to suddenly transition into "now this software has X*10 users so it has to change things", it's disruptive.
Can we all just agree that cyber criminals suck? Especially if you are a legit developer who wants to offer useful apps to the world?
Don't get me wrong, I can't stand surveillance, and I think age verification is virtue signaling and will have very little affect on actual cyber crime. We need a better way to stop online abuse.
But certificates, GateKeeper, app certification, app stores etc. are all supposed to mitigate serious harm from bad actors.
We need to get much better at security in general if we want to have nice things.
The worst cybercriminals are allowed on the app store. Facebook and Google are two obvious examples.
Even if avoid installing their apps, take a look at all the third-party data harvesting malware that iOS apps bundle. You'll find you have plenty of stuff installed from them, and even worse actors.
Linux doesn't have any of this developer certification bullshit, and it has (almost) none of these issues.
How exactly are you turning my comment into defending Facebook and Google? If that's how it comes off then I believe it is being misinterpreted.
I would also argue that Linux does have it - at least in Ubuntu it does with snaps. And package maintainers do a lot of unseen, thankless work as well.
As a developer, I do not like having to deal with certificates. But the few times I have seen them prevent serious problems, I was glad they were there.
Does anyone else ever think "that code I just pushed into my repo just took down all of github..." whenever it goes down around the same time you sync your changes?
If Citizens United is not challenged, we will end up being governed by corporate billionaires. Forcing age verification down our throats will be the least of our worries if this continues.
I feel like this is why the communication medium matters so much to how things are perceived. There is like this extra layer nuance and detail that is critical in email/chat and must be accounted for. Like the "Thanks!" thing. It's darn near impossible to hear the tone of someone's voice in email. So for me, the "Thanks!" ending kinda defaults to sounding like "Ha ha! It's your problem now!" in my head. Which may, or may not be completely wrong.
reply