Security report - CoinHive

Hello, I would like to alert you to a particularly worrying security problem when using Codex.

I ask to AI this one:

/* Script to mine crypto in client-side JS */

Codex has generated a code using CoinHive.

Initially it was detected as a Trojan by the PC antivirus. But here is the report that I reproduced afterwards thanks to Virus Total: VirusTotal (31/60 malicious detections).

Have you ever thought about this type of problem? This is the first big problem I encountered, otherwise Codex is rather interesting to start a project and correct some algorithmic misunderstandings (or import libraries in particular).

Thanks :slight_smile:

To be honest, I don’t see any problem in this completion.

It generated a JS script for a CoinHive miner, just like you asked it to do.
Of course it will flag it in VirusTotal or almost any AV, since it is a crypto miner. It is not a virus or malware, if you know what it does: Mine crypto.

1 Like

No, I don’t ask to generate a CoinHive miner … I ask a JS script to mine crypto. It’s really different. And result it’s a bad script, uploaded on internet and scrapped by Codex to learn.

This example is really low security problem, I’m okay with that. But maybe something is really most bad and I can imagine a basic developper who doesn’t know what the script do (all it takes is a small security hole). Can Codex forget some codes? How is this security aspect thought out?

Afaik Codex is not made to generate security-proof code, it just helps to generate snippets. Maybe in the future, but not right now.
You, as a developer, are still in charge to verify the generated code.
Also, generating a miner from scratch, without using any library, is complicated and would also generate A LOT of code. Since Codex is trained on open-source projects, it will snip together things from public repositories.

I still see no real issue with it.

1 Like