Cork|Sec 147

Running since June 2013, every month we have 1-2 talks focused on Security or Technology - followed by socialising with like minded people – and you can find out exactly what to expect about the night and the venue on the What We're About section of our Meetup page. Past talk details are on our wiki on http://corksec.com/. All people with any sort of an interest or level of knowledge in Security, Hacking and Emerging Technology are more than welcome to attend and feel free to bring like minded colleagues and friends.

CorkSec is made possible through generous sponsorship from our Platinum Sponsor Trend Micro, Gold Sponsor CyberSkills , as well as our Silver and Bronze Sponsors featured prominently on the night.

Our talks come from our community so if you have an idea for a topic (anything for 10-60 minutes) please email us at **DefconCork@gmail.com** . Whether you are an experienced presenter, or presenting for your first time - CorkSec is a great venue for it - and we are happy to help you prepare and mentor you.

Doors open at 19:00 with talks starting at 19:15. Talks below

How can we abuse AI hallucinations to feed the already bloated software supply chain - Nigel Douglas
Generative AI has already become that semi-autonomous software developer in our pockets, that's a reality for almost all of us in software security. However, as Uncle Ben would say, "with great power comes great responsibility". The tool that is providing us with benefits in software development is simultaneously responsible for creating a whole new software supply chain risk called slopsquatting. Similar to typosquatting, slopsquatting exploits AI’s tendency to hallucinate. By suggesting non-existent software packages from public repositories like PyPi or DockerHub, hackers are coming up with new and creative ways to distribute malware. An adversary monitoring these “phantom” packages can register them with malicious payloads, turning a harmless AI mistake into a silent supply chain compromise. This talk explores how slopsquatting works in the wild, real-world report findings of the attack chain, and strategies for defending against it. If your build pipeline trusts public upstreams, I'm afraid your trusty AI companion might just be doing the recon for your attacker.

TALK 2: TBC