Dark Reading

Hugging Face Packages Weaponized With a Single File Tweak

A tokenizer library file present in Hugging Face AI models can be manipulated to hijack the model's outputs and exfiltrate ...
CSOonline

Npm ecosystem vulnerable to new manifest confusion attack

Package manifests in the npm registry are not validated against metadata files in the package itself, leaving the door open for attackers. The npm (Node Package Manager) ecosystem of JavaScript ...
Bleeping Computer

NPM ecosystem at risk from “Manifest Confusion” attacks

The NPM (Node Package Manager) registry suffers from a security lapse called "manifest confusion," which undermines the trustworthiness of packages and makes it possible for attackers to hide malware ...