This is why I’m always against auto-updates, malicious packages can get in way too easily and silently.

My problem with this report is that the only source that BC links is the write-up by “Koi Security,” whose URL is “koi.ai” and the write-up has a lot of markers of having been written by an LLM (slop).

The supply-chain worm isn’t that far-fetched but without corroboration it’s impossible to know how many of these details are real and how many were just statistically likely (hallucinated) according to the LLM. And there are a lot of complex features of this worm that just scream the favourite refrain of the LLM: “BUT WAIT! THERE’S MORE!”