In the good ol' days, we worried about individual maintainers becoming overburdened, or ripple effects from surprise deletions in dependency graphs. Now, with the power of AI, we get to worry about these things on a much bigger scale: on repeat, across entire ecosystems!
As AI agents outpace humans in code output, we’re entering a delightful time where vibe-coded pull requests are checked in because they "look right," even if they’ve silently re-introduced classes of security vulnerabilities we thought we'd eliminated.
In this talk, we’ll look at some delicious data from [suggested redaction during CFP review of the dataset] to see just how big the problem is (so far). We’ll explore AI slopsquatting, DDOSing maintainers through vulnerability reports (valid or superfluous), and whether "living at HEAD" (with its security risks) might be our best security strategy.
We’ll also talk: private forks, dynamic cooldowns, and whether or not that one legend in Nebraska has already left the chat. Come for the existential dread; stay for the practical tips on not letting your dependency graph become (more of) a dumpster fire.
We are seeing a massive shift in how code is produced and reviewed, and the scale that this is happening at. While having “eyes on the code” forms the foundation of open-source security, a significant portion of those eyes are now LLMs. (“AIs on the code”, anyone? 🫠)
This talk will cover:
We’ll wrap up with a slightly-hopeful practical call to action. We’ll discuss why dynamic cooldown periods are your new best friend, how to use tools (both AI and not) to improve your security posture, and how to join the OSSF Malicious Package and other efforts to help hold back (or shine a light on) the tide.
Nicky describes herself as a recovering academic with a background in Computational Linguistics, and a recovering startup edtech founder. She co-founded Tech Inclusion, a technology education not-for-profit, and Grok Learning: a startup teaching hundreds of thousands of students to solve problems with code, before joining Big Tech where she currently works as a Product Manager in open source security. Named one of Australia’s inaugural “Superstars of STEM” and an AFR ‘Women of Influence’, Nicky is passionate about teaching the next generation to become the creators of tomorrow, while building a healthy, diverse community for them to thrive in.
Ash is an engineer working in product security and incident response. They are passionate about creating an inclusive and supportive tech community where everyone can thrive. When not putting out security fires, they can be found teaching computer science, and climbing mountains.
