https://ask.clojure.org/index.php/tag/abuse https://ask.clojure.org/index.php/15140/clj-risk-of-automatic-dependency-update-causing-rce <p>I think we should consider enforcing some mechanism to prevent automatic, ai-induced dependency downloading to enable abusers to cause automatic execution of arbitrary code any time a user of AI updates any dependency graph.</p> <p>NPM is currently getting abused frequently via this vector.</p> <p>NPM has the unfortunate aspect that when you run <code>npm install</code> it will enable code execution of code provided by a third-party.</p> <p>In the age of AI, a hacker could pose as a library useful for something, and do remote code execution via the ability to do something seemingly innocuous and very common in a workplace environment.</p> <p>Corporate sabotagists could easily take advantage of this mechanism of compromise and infiltrate common corporate environments.</p> Clojure CLI https://ask.clojure.org/index.php/15140/clj-risk-of-automatic-dependency-update-causing-rce Tue, 16 Jun 2026 08:16:29 +0000