Generative Trojan Horses: AI Automates Repository Poisoning in the Software Supply Chain
Cybercriminals use AI agents to stealthily inject malware and compromised dependencies into registries such as NPM and PyPI in bulk.
Generative Trojan Horses: AI Automates Repository Poisoning in the Software Supply Chain
Modern software is not written from scratch. It is assembled using existing building blocks: open source libraries and dependencies hosted in public repositories such as NPM (for Node.js) and PyPI (for Python).
This interconnection, which has allowed the accelerated takeoff of software development, has also become a priority target for attackers. With the advent of language models, hackers have found an ally to automate and camouflage software supply chain attacks on an unprecedented scale.
The rise of invisible AI-generated malware
Traditionally, malicious packages uploaded to public repositories consisted of simple information-stealing scripts that could be easily detected by automated security systems by analyzing static code signatures (such as looking for curl commands or direct connections to suspicious IPs).
Flujo del Envenenamiento de Dependencias con IA:
1. Agente IA clona librería popular ➔ Escribe modificaciones maliciosas sutiles
2. Ofuscación adaptativa con IA ➔ Evita la detección por firmas antivirus tradicionales
3. Publicación masiva en NPM/PyPI ➔ Usa técnicas de typosquatting (ej. react-domm)
Today, attackers use AI agents to generate extremely subtle modifications to existing libraries. AI can completely rewrite a legitimate network function from a library to collect keys and send them in chunked or encrypted form mimicking the style of the original programmer's code. This modified code evades static scanners because it does not contain known malware, but rather malicious logic written from scratch.
Typosquatting techniques and dependency confusion
Cybercriminals combine code generation with mass publishing automation. Using AI-controlled bots, they register hundreds of package names that mimic popular ones (such as lodash-utils instead of lodash, or misspelled variations such as requestt).
When a developer slips up when typing the installation command or when the company's dependency resolver suffers from "dependency confusion" (downloading a malicious public package instead of a private internal one with the same name), the infected code is injected directly into the developer's machine and production server.
Faced with this threat, security teams must go beyond traditional scanners. It is essential to use cryptographic signatures of commits, limit the execution of post-installation scripts (ignore-scripts) and use internal dependency proxies to isolate the development chain from public external repositories.
