Is people using ChatGPT to think up malicious package names an new AI centric...
Is people using ChatGPT to think up malicious package names an new AI centric exploit? I'm skeptical. This is AI assisted typosquatting. Meat based LLMs are already `pip install` ing packages that they think exist but don't, e.g. everytime you install a module by name when the package name has nothing to do with the package. Making the LLM part go away still leaves you with the fact that `pip install` just does what you ask.
Self-replies
Maybe if the default was, "Hey, this package is 1 week old, with 5000 installs and the author is anonymous with a guid for a name" we could reduce typosquatting (and variations on the theme)
Or alternatively, who is gullible, the person who runs `pip install` or the person who pasted in a `pip install` from #chatgpt - BOTH! Neither one involves due diligence!