Deepened Several major companies have published source code containing a software package previously hallucinated by generative AI.

Not only that, but someone, upon discovering this recurring hallucination, had turned the made-up addiction into a real addiction, which was then downloaded and installed thousands of times by developers as a result of the AI's bad advice, we've learned. If the package was laced with actual malware, rather than being a benign test, the results could have been disastrous.

According to Bar Lanyado, security researcher at Lasso Security, one of the companies tricked by AI into incorporating the Alibaba package, which at the time of writing still includes a pip command to download the Python package huggingface-cli in its GraphTranslator installation instructions.

There is a legitimate huggingface-cli, installed with pip install -U "huggingface_hub[cli]".