Latest news with #Pyth
WIRED
30-04-2025
- WIRED
AI Code Hallucinations Increase the Risk of ‘Package Confusion' Attacks
Apr 30, 2025 3:08 PM A new study found that code generated by AI is more likely to contain made-up information that can be used to trick software into interacting with malicious code. Photo-Illustration:AI-generated computer code is rife with references to non-existent third-party libraries, creating a golden opportunity for supply-chain attacks that poison legitimate programs with malicious packages that can steal data, plant backdoors, and carry out other nefarious actions, newly published research shows. The study, which used 16 of the most widely used large language models to generate 576,000 code samples, found that 440,000 of the package dependencies they contained were 'hallucinated,' meaning they were non-existent. Open source models hallucinated the most, with 21 percent of the dependencies linking to non-existent libraries. A dependency is an essential code component that a separate piece of code requires to work properly. Dependencies save developers the hassle of rewriting code and are an essential part of the modern software supply chain. Package hallucination flashbacks These non-existent dependencies represent a threat to the software supply chain by exacerbating so-called dependency confusion attacks. These attacks work by causing a software package to access the wrong component dependency, for instance by publishing a malicious package and giving it the same name as the legitimate one but with a later version stamp. Software that depends on the package will, in some cases, choose the malicious version rather than the legitimate one because the former appears to be more recent. Also known as package confusion, this form of attack was first demonstrated in 2021 in a proof-of-concept exploit that executed counterfeit code on networks belonging to some of the biggest companies on the planet, Apple, Microsoft, and Tesla included. It's one type of technique used in software supply-chain attacks, which aim to poison software at its very source in an attempt to infect all users downstream. 'Once the attacker publishes a package under the hallucinated name, containing some malicious code, they rely on the model suggesting that name to unsuspecting users,' Joseph Spracklen, a University of Texas at San Antonio Ph.D. student and lead researcher, told Ars via email. 'If a user trusts the LLM's output and installs the package without carefully verifying it, the attacker's payload, hidden in the malicious package, would be executed on the user's system.' In AI, hallucinations occur when an LLM produces outputs that are factually incorrect, nonsensical, or completely unrelated to the task it was assigned. Hallucinations have long dogged LLMs because they degrade their usefulness and trustworthiness and have proven vexingly difficult to predict and remedy. In a paper scheduled to be presented at the 2025 USENIX Security Symposium, they have dubbed the phenomenon 'package hallucination.' For the study, the researchers ran 30 tests, 16 in the Python programming language and 14 in JavaScript, that generated 19,200 code samples per test, for a total of 576,000 code samples. Of the 2.23 million package references contained in those samples, 440,445, or 19.7 percent, pointed to packages that didn't exist. Among these 440,445 package hallucinations, 205,474 had unique package names. One of the things that makes package hallucinations potentially useful in supply-chain attacks is that 43 percent of package hallucinations were repeated over 10 queries. 'In addition,' the researchers wrote, '58 percent of the time, a hallucinated package is repeated more than once in 10 iterations, which shows that the majority of hallucinations are not simply random errors, but a repeatable phenomenon that persists across multiple iterations. This is significant because a persistent hallucination is more valuable for malicious actors looking to exploit this vulnerability and makes the hallucination attack vector a more viable threat.' In other words, many package hallucinations aren't random one-off errors. Rather, specific names of non-existent packages are repeated over and over. Attackers could seize on the pattern by identifying nonexistent packages that are repeatedly hallucinated. The attackers would then publish malware using those names and wait for them to be accessed by large numbers of developers. The study uncovered disparities in the LLMs and programming languages that produced the most package hallucinations. The average percentage of package hallucinations produced by open source LLMs such as CodeLlama and DeepSeek was nearly 22 percent, compared with a little more than 5 percent by commercial models. Code written in Python resulted in fewer hallucinations than JavaScript code, with an average of almost 16 percent compared with a little over 21 percent for JavaScript. Asked what caused the differences, Spracklen wrote: 'This is a difficult question because large language models are extraordinarily complex systems, making it hard to directly trace causality. That said, we observed a significant disparity between commercial models (such as the ChatGPT series) and open-source models, which is almost certainly attributable to the much larger parameter counts of the commercial variants. Most estimates suggest that ChatGPT models have at least 10 times more parameters than the open-source models we tested, though the exact architecture and training details remain proprietary. Interestingly, among open-source models, we did not find a clear link between model size and hallucination rate, likely because they all operate within a relatively smaller parameter range. 'Beyond model size, differences in training data, fine-tuning, instruction training, and safety tuning all likely play a role in package hallucination rate. These processes are intended to improve model usability and reduce certain types of errors, but they may have unforeseen downstream effects on phenomena like package hallucination. 'Similarly, the higher hallucination rate for JavaScript packages compared to Python is also difficult to attribute definitively. We speculate that it stems from the fact that JavaScript has roughly 10 times more packages in its ecosystem than Python, combined with a more complicated namespace. With a much larger and more complex package landscape, it becomes harder for models to accurately recall specific package names, leading to greater uncertainty in their internal predictions and, ultimately, a higher rate of hallucinated packages.' The findings are the latest to demonstrate the inherent untrustworthiness of LLM output. With Microsoft CTO Kevin Scott predicting that 95 percent of code will be AI-generated within five years, here's hoping developers heed the message. This story originally appeared on Ars Technica.
Associated Press
02-04-2025
- Business
- Associated Press
Kamino Finance and Pyth Network Partner to Bridge DeFi Performance Gap
Kamino's Meta-Swap leverages Pyth Network's Express Relay to deliver a CEX-quality trading experience with transparency, self-custody, and composability LONDON, April 2, 2025 (Bitwire) -- Pyth Network ('Pyth'), the universal price layer powering the next generation of finance, and DeFi protocol Kamino Finance today announced the launch of Meta-Swap, a next-generation swap router built to redefine what on-chain finance can do. Kamino Swap's Meta-Swap is powered by Pyth Network's Express Relay and offers highly competitive price execution found only in CeFi. Competitive price execution means tight spreads and fast, reliable trades for DeFi users; this is what Kamino Finance calls 'CEX-like performance.' Instead of plugging into a single DEX or DEX aggregator—and being subject to liquidity fragmentation, protocol fees, or MEV—Meta-Swap broadcasts every swap to a network of searchers via Express Relay. Meta-Swap runs active simulations to ensure swaps execute successfully and at accurate prices, removing failed transactions and inflated quote estimates from the user experience entirely. This results in no more inaccurate quotes, no more failed swaps, and no more mid-quote checks or on-swap validation. 'Meta Swap, powered by Pyth's Express Relay, is bringing CEX-level execution to DeFi, without the MEV tax,'said Mike Cahill, CEO of Dourouoro Labs, a leading contributor to Pyth Network. 'For the first time, traders are going to get the best possible price without any interference. This will make decentralized trading as fair, fast, and efficient as it is on centralized exchanges, thereby leveling the playing field between DeFi and CeFi to give all participants access to a borderless global financial market.' Express Relay makes 'tipping' users, MEV elimination, and best price execution uniquely possible. It offers a secure auction environment for protocols to submit transaction opportunities to a network of top searchers. Searchers include Flow Traders, Wintermute, Auros, Caladan, Flowdesk, Tokka Labs, Selini, Swaap Finance, Amber Group. 'Meta Swap is finally bringing the decentralized Nasdaq promise to Solana users—making high-performance trading a reality on Solana,' said Marius Ciubotariu, cofounder of Kamino Finance. 'Kamino's active simulation algorithm, together with the Pyth's Express Relay auction network, constantly scans a wide pool of routes and searchers to deliver best execution on every trade.' Kamino Meta-Swap joins Kamino's Limit Orders—launched in December 2024 with Express Relay —which have already surpassed $200M in volume and distributed nearly $100,000 in user tips. Together, Limit Orders, Meta-Swap, and an upcoming DCA product (to be powered by Express Relay) form a comprehensive trading suite designed for all types of users: from degens and casual traders to whales and institutions. To learn more about Pyth Network, visit and follow on X and LinkedIn. About Pyth Network Pyth Network is the universal price layer for the global financial system, bringing the price of everything on-chain. With over 1000 price feeds and seamless integration across over 100 blockchain ecosystems, Pyth empowers developers to build decentralized applications with the speed, accuracy, and reliability of high-performance markets—providing sub-second, real-time data for digital assets, FX, ETFs, equities, and commodities. Supported by leading financial institutions—including Cboe, Revolut, Coinbase, Jane Street, Amina Bank, Two Sigma, and Virtu Financial—Pyth enables data providers to securely monetize their proprietary data while shaping the future of DeFi. By decentralizing access to high-fidelity price information, Pyth is breaking down financial barriers and ensuring that transparent, real-time pricing is available to everyone. With over $1 trillion in total transaction volume, Pyth is the foundation of a new, global financial system built on open-access data, fairness, and efficiency. About Kamino Finance Kamino Finance was originally created to offer users the easiest possible way of providing liquidity and earning yield on-chain. The protocol's one-click, auto-compounding concentrated liquidity strategies quickly became the most popular LP products on Solana and laid the foundation for what Kamino is now. Today, Kamino is a first-of-its-kind DeFi protocol that unifies lending, liquidity, and leverage into a single, secure DeFi product suite. Media Contact: Melrose PR
Associated Press
06-03-2025
- Business
- Associated Press
Coinbase Integrates Pyth Lazer to Provide Real-Time Market Data to Users
By making market data accessible within one millisecond, the latest Pyth Lazer feature from Pyth Network is unlocking new competitive advantages for Coinbase users. Pyth Network ('Pyth'), the universal price layer powering the next generation of finance, today announced digital currency exchange Coinbase has integrated Pyth Lazer, a new high-speed, sub-second-latency service developed by the Pyth Network. Pyth Lazer is designed to provide real-time market data with update times as fast as one millisecond. In trading, speed is the ultimate competitive advantage. Slow execution undermines order quality, leading to slippage, inefficiencies, missed arbitrage opportunities, and costly mistakes in volatile markets. Pyth Lazer targets latency-sensitive crypto trading applications and DeFi protocols, empowering them to compete with the speed of centralized exchanges. Its ultra-fast price feeds allow for customizable frequency channels to suit different needs within the blockchain ecosystem, enabling developers to be at the forefront of the evolving global digital asset markets. 'Every trader knows that it's not just about being right—it's about being first. Faster systems make it possible to capitalize on market movements, and DeFi needs the kind of infrastructure that can match or beat the performance of CeFi platforms so traders can lock in profits and keep liquidity deep and flowing,' said Mike Cahill, CEO of Duoro Labs. 'Coinbase understands that Pyth Lazer is here to raise the bar, making it possible for DeFi to deliver real-time solutions so traders can access next-gen infrastructure that bridges the gap between DeFi and TradFi.' Now integrated by Coinbase, Pyth Lazer enhances real-time price data accuracy and efficiency for on-chain applications. The feature delivers market reality at unprecedented speed, allowing users to catch every price move before others see it, is ultra-efficient at keeping costs low, provides a lightweight design that saves money, and shares real-time prices with minimal overhead. 'Coinbase International Exchange is dedicated to delivering unparalleled trading experiences. By integrating Pyth\'s Lazer technology, we're enhancing the speed and precision of pricing data on our exchange. We're excited to collaborate with Pyth and continue pushing the boundaries of innovation in the crypto trading space.' – Marc Zeitouni, CEO Coinbase International Exchange The integration of Pyth Lazer empowers Coinbase's operations with precise, real-time data for improved accuracy and responsiveness to market conditions. While Pyth's price feeds are typically used by DeFi applications, Coinbase's adoption of Lazer shows institutional interest in tapping into the Pyth price layer. To learn more about Pyth Network, visit pyth. network and follow on X and LinkedIn. About Pyth Network Pyth Network is the universal price layer for the global financial system, bringing the price of everything on-chain. With over 1000 price feeds and seamless integration across over 100 blockchain ecosystems, Pyth empowers developers to build decentralized applications with the speed, accuracy, and reliability of high-performance markets—providing sub-second, real-time data for digital assets, FX, ETFs, equities, and commodities. Supported by leading financial institutions—including Cboe, Revolut, Coinbase, Jane Street, Amina Bank, Two Sigma, and Virtu Financial—Pyth enables data providers to securely monetize their proprietary data while shaping the future of DeFi. By decentralizing access to high-fidelity price information, Pyth is breaking down financial barriers and ensuring that transparent, real-time pricing is available to everyone. With over $1 trillion in total transaction volume, Pyth is the foundation of a new, global financial system built on open-access data, fairness, and efficiency. To learn more, please visit: network/ About Coinbase Crypto creates economic freedom by ensuring that people can participate fairly in the economy, and Coinbase (NASDAQ: COIN) is on a mission to increase economic freedom for more than 1 billion people. We're updating the century-old financial system by providing a trusted platform that makes it easy for people and institutions to engage with crypto assets, including trading, staking, safekeeping, spending, and fast, free global transfers. We also provide critical infrastructure for onchain activity and support builders who share our vision that onchain is the new online. And together with the crypto community, we advocate for responsible rules to make the benefits of crypto available around the world. Media Contact:
