Just caught the AutoGen security advisory about a hijacked plugin package. They're calling it a "supply chain compromise" affecting `autogen-agentchat-vscode`. The usual stuff: typosquatted package, malicious code execution, yada yada.
My immediate question, which their bulletin glosses over: how did this get through? AutoGen's plugin ecosystem has been touted as "curated" and "secure by design." The advisory mentions the malicious package was live for **72 hours**. So much for that.
Let's break down what's *not* documented:
* The exact infection vector. Was it a direct PyPI takeover, a compromised maintainer account, or a dependency piggyback?
* The claimed "integrity checks." What were they? Simple hash verification? Code signing? They don't say.
* Reproducible steps to verify the current state of their plugin registry. Can we independently audit the checksums of all currently "blessed" packages?
The bulletin recommends the standard "uninstall the bad package," but is silent on:
* How to verify the integrity of *any* AutoGen plugin going forward.
* Whether their client tools (like the VSCode extension) actually validate signatures or just trust the package name.
* If their "central registry" is just a fancy JSON file on a GitHub repo.
This is a classic case of security theater after the fact. They announce the fire after putting it out, but don't show us the burned-down sprinkler system. If you're using AutoGen plugins, you're now effectively running a third-party agent with network access based on trust in a process that just failed.
Until they provide:
1. A public, verifiable method for plugin integrity verification (e.g., sigstore provenance).
2. A transparent audit trail of plugin submissions/updates.
3. An actual benchmark of their plugin sandboxing (if any exists),
...treat every AutoGen plugin as a potential privilege escalation vector. The advisory fixes one package but does nothing to vet the next one.