scan-v5.json (29797B)
1 { 2 "scan_version": 5, 3 "paper_type": "empirical", 4 "paper": { 5 "title": "ImportSnare: Directed \"Code Manual\" Hijacking in Retrieval-Augmented Code Generation", 6 "authors": [ 7 "Kai Ye", 8 "Liangcai Su", 9 "Chenxiong Qian" 10 ], 11 "year": 2025, 12 "venue": "Conference on Computer and Communications Security", 13 "arxiv_id": "2509.07941", 14 "doi": "10.1145/3719027.3765161" 15 }, 16 "checklist": { 17 "claims_and_evidence": { 18 "abstract_claims_supported": { 19 "applies": true, 20 "answer": true, 21 "justification": "Abstract claims >50% ASR for matplotlib and seaborn are supported by Table 1 (matplotlib_safe hits 67.7% on GPT-4o; multiple seaborn variants exceed 50% on several LLMs). The 0.01% poisoning ratio threshold is demonstrated in Figure 4.", 22 "source": "haiku" 23 }, 24 "causal_claims_justified": { 25 "applies": true, 26 "answer": true, 27 "justification": "The paper makes causal claims that ImportSnare-R improves retrieval ranking and ImportSnare-G improves generation success; these are supported by module ablation experiments in Figure 5 that isolate each component's contribution.", 28 "source": "haiku" 29 }, 30 "generalization_bounded": { 31 "applies": true, 32 "answer": false, 33 "justification": "The conclusion asserts 'urgent supply chain risks in LLM-driven development' broadly, but experiments are limited to three languages (Python, Rust, JavaScript), a controlled RAG setup far smaller than production systems, and a subset of LLMs — the paper itself acknowledges real-world scale is impractical to simulate.", 34 "source": "haiku" 35 }, 36 "alternative_explanations_discussed": { 37 "applies": true, 38 "answer": false, 39 "justification": "The paper attributes attack effectiveness to 'dual trust chains' but does not systematically consider alternative explanations — e.g., whether any in-context package suggestion (not just the optimized sequences) would achieve similar success rates.", 40 "source": "haiku" 41 }, 42 "proxy_outcome_distinction": { 43 "applies": true, 44 "answer": false, 45 "justification": "ASR is defined as the target package appearing in an import statement, but the actual harm (developer installing and executing a malicious package) requires multiple additional steps; this gap between measured outcome and claimed supply chain risk is not discussed with appropriate nuance.", 46 "source": "haiku" 47 } 48 }, 49 "limitations_and_scope": { 50 "limitations_section_present": { 51 "applies": true, 52 "answer": false, 53 "justification": "There is no dedicated limitations section; Section 7 is labeled 'Discussion' and contains subsections on threats, real-world implications, and ethics, but is not a formal limitations or threats-to-validity section.", 54 "source": "haiku" 55 }, 56 "threats_to_validity_specific": { 57 "applies": true, 58 "answer": true, 59 "justification": "Section 7.2 discusses specific threats: real-world RAG databases are orders of magnitude larger than the experimental setup, reranking mechanisms may degrade transferability, and the proxy model is smaller than production retrievers.", 60 "source": "haiku" 61 }, 62 "scope_boundaries_stated": { 63 "applies": true, 64 "answer": true, 65 "justification": "The paper explicitly notes JavaScript shows lower ASR than Python/Rust, that C/C++ is excluded due to architectural incompatibility, and that results may not generalize to internal company RAG systems with manual review.", 66 "source": "haiku" 67 } 68 }, 69 "conflicts_of_interest": { 70 "funding_disclosed": { 71 "applies": true, 72 "answer": true, 73 "justification": "Funding is disclosed in the acknowledgments: NSFC for Young Scientists of China (No.62202400) and RGC Early Career Scheme (No.27210024).", 74 "source": "haiku" 75 }, 76 "affiliations_disclosed": { 77 "applies": true, 78 "answer": true, 79 "justification": "All three authors are listed as affiliated with The University of Hong Kong.", 80 "source": "haiku" 81 }, 82 "funder_independent_of_outcome": { 83 "applies": true, 84 "answer": true, 85 "justification": "NSFC and RGC are government and public research funding bodies with no financial stake in the attack framework or its commercial implications.", 86 "source": "haiku" 87 }, 88 "financial_interests_declared": { 89 "applies": true, 90 "answer": false, 91 "justification": "There is no competing interests or financial interests declaration in the paper; only funding acknowledgment is present.", 92 "source": "haiku" 93 } 94 }, 95 "scope_and_framing": { 96 "key_terms_defined": { 97 "applies": true, 98 "answer": true, 99 "justification": "Key terms are defined: ASR, Precision@k, #Queries, APT are all formally defined in Section 5.3; RACG, ImportSnare-R, and ImportSnare-G are defined in Sections 1 and 4.", 100 "source": "haiku" 101 }, 102 "intended_contribution_clear": { 103 "applies": true, 104 "answer": true, 105 "justification": "Four explicit contributions are enumerated at the end of Section 1: new risk exposure, the ImportSnare attack framework, comprehensive validation, and a benchmark dataset release.", 106 "source": "haiku" 107 }, 108 "engagement_with_prior_work": { 109 "applies": true, 110 "answer": true, 111 "justification": "Section 2 covers four related areas (code generation safety, software supply chain, RAG poisoning, prompt injection) and situates ImportSnare relative to prior work like PoisonedRAG [57] and HotFlip [9], explaining how it extends and improves on them.", 112 "source": "haiku" 113 } 114 } 115 }, 116 "type_checklist": { 117 "empirical": { 118 "artifacts": { 119 "code_released": { 120 "applies": true, 121 "answer": false, 122 "justification": "The abstract says 'we will release' (future tense) the benchmark suite and datasets; while the Availability section says 'are available' on the project homepage, no direct code repository link (GitHub/Zenodo) is provided and the contradictory language cannot be verified.", 123 "source": "haiku" 124 }, 125 "data_released": { 126 "applies": true, 127 "answer": false, 128 "justification": "The RAG database draws from standard public benchmarks (BigCodeBench, HumanEval, etc.) which are publicly available, but the custom poisoned datasets and new benchmark suite are only promised on the project homepage without direct download links.", 129 "source": "haiku" 130 }, 131 "environment_specified": { 132 "applies": true, 133 "answer": false, 134 "justification": "Model names and hyperparameters are specified but no requirements.txt, Dockerfile, or dependency list is provided; 'Python' is assumed but not explicitly versioned in the paper.", 135 "source": "haiku" 136 }, 137 "reproduction_instructions": { 138 "applies": true, 139 "answer": false, 140 "justification": "The appendix provides algorithm pseudocode and prompt templates but no step-by-step instructions for reproducing experiments end-to-end from dataset preparation through evaluation.", 141 "source": "haiku" 142 } 143 }, 144 "statistical_methodology": { 145 "confidence_intervals_or_error_bars": { 146 "applies": true, 147 "answer": false, 148 "justification": "No confidence intervals or error bars are reported for any ASR or Precision@k results in Tables 1-4; temperature=0 with fixed seed implies single deterministic runs.", 149 "source": "haiku" 150 }, 151 "significance_tests": { 152 "applies": true, 153 "answer": false, 154 "justification": "Wilcoxon signed-rank tests with Bonferroni correction are applied only for the code quality analysis in Table 5; the primary comparative claims in Tables 1-2 (ImportSnare vs baselines) have no significance tests.", 155 "source": "haiku" 156 }, 157 "effect_sizes_reported": { 158 "applies": true, 159 "answer": true, 160 "justification": "ASR values (proportion of successful attacks) serve as effect sizes and are reported throughout; baseline comparisons show absolute differences (e.g., 0.677 vs 0.194 for naive baseline on matplotlib).", 161 "source": "haiku" 162 }, 163 "sample_size_justified": { 164 "applies": true, 165 "answer": false, 166 "justification": "The 80/20 train/test split is stated but not justified with power analysis; for seaborn variants the test set appears to be ~15 queries (inferred from fractional ASR values), which is very small.", 167 "source": "haiku" 168 }, 169 "variance_reported": { 170 "applies": true, 171 "answer": false, 172 "justification": "No variance, standard deviation, or confidence intervals are reported across runs; while temperature=0 and seed=100 ensure determinism, no multi-run variance analysis is conducted.", 173 "source": "haiku" 174 } 175 }, 176 "evaluation_design": { 177 "baselines_included": { 178 "applies": true, 179 "answer": true, 180 "justification": "Table 2 compares against four baselines: Naive (unoptimized suggestion), HotFlip (retrieval), ReMiss (jailbreaking), and ReMiss with ImportSnare-R.", 181 "source": "haiku" 182 }, 183 "baselines_contemporary": { 184 "applies": true, 185 "answer": true, 186 "justification": "ReMiss (2024) is a contemporary jailbreaking baseline; HotFlip (2017) is older but is used specifically as a retrieval attack baseline where it is the closest prior art.", 187 "source": "haiku" 188 }, 189 "ablation_study": { 190 "applies": true, 191 "answer": true, 192 "justification": "Figure 5 provides module ablation (R only, G only, G+R, R+G, R(N+N')+G, full R+G+R) and Figure 6 ablates three hyperparameters (L, B, k_b) for ImportSnare-R.", 193 "source": "haiku" 194 }, 195 "multiple_metrics": { 196 "applies": true, 197 "answer": true, 198 "justification": "Four metrics are used: ASR (generation success), Precision@k (retrieval success), #Queries (attack efficiency), and APT (average processing time).", 199 "source": "haiku" 200 }, 201 "human_evaluation": { 202 "applies": false, 203 "answer": false, 204 "justification": "Human evaluation is not applicable; the paper evaluates automated attack success against LLM outputs, not human judgment of output quality.", 205 "source": "haiku" 206 }, 207 "held_out_test_set": { 208 "applies": true, 209 "answer": true, 210 "justification": "The query dataset is explicitly split 80/20 into proxy and test subsets with 'no overlap between proxy and test queries to maintain validity under our threat model.'", 211 "source": "haiku" 212 }, 213 "per_category_breakdown": { 214 "applies": true, 215 "answer": true, 216 "justification": "Table 1 provides per-language (Python, Rust, JavaScript) and per-target-package breakdowns across seven LLMs, with detailed per-package ASR and Precision@k.", 217 "source": "haiku" 218 }, 219 "failure_cases_discussed": { 220 "applies": true, 221 "answer": true, 222 "justification": "The paper explicitly discusses failure cases: typosquatted names (requstss) achieve 0% ASR on most LLMs due to spell-correction, and known malicious packages (tn-moment) also show poor ASR.", 223 "source": "haiku" 224 }, 225 "negative_results_reported": { 226 "applies": true, 227 "answer": true, 228 "justification": "Section 6.1 reports negative results for JavaScript (significantly lower ASR), and Table 6 shows attack effectiveness degrades on non-proxy retrievers (bge-base-en-v1.5 achieves 0.012 ASR on pandas).", 229 "source": "haiku" 230 } 231 }, 232 "setup_transparency": { 233 "model_versions_specified": { 234 "applies": true, 235 "answer": false, 236 "justification": "Model names are given (GPT-4o, Claude-3.5-Sonnet, DeepSeek-r1) but no API snapshot dates, model weights versions, or access timestamps are provided.", 237 "source": "haiku" 238 }, 239 "prompts_provided": { 240 "applies": true, 241 "answer": true, 242 "justification": "The full LLM prompt template is provided verbatim in Appendix A.4, and Table 8 shows all multilingual inductive suggestions used in ImportSnare-G.", 243 "source": "haiku" 244 }, 245 "hyperparameters_reported": { 246 "applies": true, 247 "answer": true, 248 "justification": "Attack parameters are fully reported in Section 5.5: L=20, B=10, k_b=15, N=50, N'=25, temperature=0, seed=100; ablation studies further characterize their impact.", 249 "source": "haiku" 250 }, 251 "scaffolding_described": { 252 "applies": true, 253 "answer": true, 254 "justification": "The RAG pipeline is described: top-k retrieval, context window construction, and prompt assembly are all specified; LlamaIndex and LangGraph as real-world RAG frameworks are mentioned.", 255 "source": "haiku" 256 }, 257 "data_preprocessing_documented": { 258 "applies": true, 259 "answer": true, 260 "justification": "Section 5.2 and Appendix Table 10 describe dataset sources, the 1024-token document segmentation strategy, and the 80/20 proxy/test query split.", 261 "source": "haiku" 262 } 263 }, 264 "data_integrity": { 265 "raw_data_available": { 266 "applies": true, 267 "answer": false, 268 "justification": "Raw experimental outputs (per-query LLM responses) are not available; only aggregated ASR and Precision@k metrics are reported in tables.", 269 "source": "haiku" 270 }, 271 "data_collection_described": { 272 "applies": true, 273 "answer": true, 274 "justification": "Section 5.2 describes the dataset construction process: source benchmarks, language selection rationale, document segmentation, and query subset separation are all documented.", 275 "source": "haiku" 276 }, 277 "recruitment_methods_described": { 278 "applies": false, 279 "answer": false, 280 "justification": "No human participants were recruited; all experiments use automated LLM queries on public code datasets.", 281 "source": "haiku" 282 }, 283 "data_pipeline_documented": { 284 "applies": true, 285 "answer": true, 286 "justification": "The full pipeline from proxy query acquisition through document poisoning to evaluation is documented across Sections 4 and 5, including the bidirectional retrieval mapping formula.", 287 "source": "haiku" 288 } 289 }, 290 "contamination": { 291 "training_cutoff_stated": { 292 "applies": false, 293 "answer": false, 294 "justification": "This paper evaluates security vulnerabilities of LLMs in a RAG context rather than measuring model knowledge on benchmarks, so training cutoff is not relevant to the validity of results.", 295 "source": "haiku" 296 }, 297 "train_test_overlap_discussed": { 298 "applies": false, 299 "answer": false, 300 "justification": "Not applicable; the attack exploits LLM instruction-following and trust in retrieved documents, not memorization of test cases from training data.", 301 "source": "haiku" 302 }, 303 "benchmark_contamination_addressed": { 304 "applies": false, 305 "answer": false, 306 "justification": "Not applicable; the evaluation measures attack success rate against LLM-generated code recommendations, not performance on a benchmark the model may have seen during training.", 307 "source": "haiku" 308 } 309 }, 310 "human_studies": { 311 "pre_registered": { 312 "applies": false, 313 "answer": false, 314 "justification": "No human participants involved.", 315 "source": "haiku" 316 }, 317 "irb_or_ethics_approval": { 318 "applies": false, 319 "answer": false, 320 "justification": "No human participants involved.", 321 "source": "haiku" 322 }, 323 "demographics_reported": { 324 "applies": false, 325 "answer": false, 326 "justification": "No human participants involved.", 327 "source": "haiku" 328 }, 329 "inclusion_exclusion_criteria": { 330 "applies": false, 331 "answer": false, 332 "justification": "No human participants involved.", 333 "source": "haiku" 334 }, 335 "randomization_described": { 336 "applies": false, 337 "answer": false, 338 "justification": "No human participants involved.", 339 "source": "haiku" 340 }, 341 "blinding_described": { 342 "applies": false, 343 "answer": false, 344 "justification": "No human participants involved.", 345 "source": "haiku" 346 }, 347 "attrition_reported": { 348 "applies": false, 349 "answer": false, 350 "justification": "No human participants involved.", 351 "source": "haiku" 352 } 353 }, 354 "cost_and_practicality": { 355 "inference_cost_reported": { 356 "applies": true, 357 "answer": true, 358 "justification": "Average Processing Time (APT) per document is reported in Table 3 (e.g., 519.06s for LLama3.2-3B on matplotlib_safe), enabling practitioners to estimate attack cost.", 359 "source": "haiku" 360 }, 361 "compute_budget_stated": { 362 "applies": true, 363 "answer": false, 364 "justification": "No total GPU compute budget or training/search compute cost is stated; only per-document APT is given for the inducing sequence generation step.", 365 "source": "haiku" 366 } 367 } 368 } 369 }, 370 "claims": [ 371 { 372 "claim": "ImportSnare achieves over 50% attack success rate against popular libraries such as matplotlib and seaborn on state-of-the-art LLMs including GPT-4o and Claude-3.5-Sonnet.", 373 "evidence": "Table 1 shows matplotlib_safe at 67.7% ASR on GPT-4o and 25.8% on Claude-3.5-Sonnet; multiple seaborn variants exceed 50% on several LLMs (e.g., malware_seaborn: 53.3% on GPT-4o, 26.7% on Claude-3.5-Sonnet). Claude-3.5-Sonnet exceeds 50% on all five Rust targets.", 374 "supported": "moderate" 375 }, 376 { 377 "claim": "The attack remains effective at poisoning ratios as low as 0.01% of the total RAG database.", 378 "evidence": "Figure 4 shows ASR improvement beginning when poisoned documents constitute ≥3% of relevant documents (0.01% of total database), with ASR rising from 0 to ~0.15 at that threshold for matplotlib_safe on DeepSeek-v3.", 379 "supported": "moderate" 380 }, 381 { 382 "claim": "Position-aware beam search (ImportSnare-R) substantially improves retrieval ranking of poisoned documents over HotFlip.", 383 "evidence": "Table 2 shows ImportSnare achieves Precision@k of 7.42 vs HotFlip's 4.69 for matplotlib_safe, and ASR of 0.677 vs 0.387 on GPT-4o-mini.", 384 "supported": "strong" 385 }, 386 { 387 "claim": "Multilingual inductive suggestions (ImportSnare-G) substantially improve LLM generation success over ReMiss jailbreaking.", 388 "evidence": "Table 2 shows ReMiss achieves near-zero ASR across all packages (0.000 for 8 of 12 targets) compared to ImportSnare's substantially higher rates; Figure 5 ablation confirms the G component's independent contribution.", 389 "supported": "strong" 390 }, 391 { 392 "claim": "Code generation quality (security issues, syntax errors) is not statistically significantly degraded by document poisoning.", 393 "evidence": "Table 5 reports Wilcoxon signed-rank tests with Bonferroni correction showing no significant differences (all p_Wilcoxon > α' = 0.0125) in Bandit, Pylint, or Flake8 metrics between poisoned and clean conditions.", 394 "supported": "strong" 395 }, 396 { 397 "claim": "LLMs exhibit strong dependency monopolization — DeepSeek-v3 recommends sklearn in 100/100 trials, GPT-4o in 98/100.", 398 "evidence": "Section 2.2 reports empirical results from 100-trial completion experiments at temperature=0 and at higher temperatures (0.5, 0.7, 1.0), all showing near-uniform recommendations.", 399 "supported": "strong" 400 }, 401 { 402 "claim": "The attack transfers across retrieval models, though effectiveness degrades on non-proxy models.", 403 "evidence": "Table 6 shows ASR drops from 0.360 to 0.012 for pandas_v2 when switching from the proxy retriever (gte-base-en-v1.5) to bge-base-en-v1.5; some cross-retriever attacks remain viable.", 404 "supported": "strong" 405 } 406 ], 407 "methodology_tags": [ 408 "benchmark-eval", 409 "case-study" 410 ], 411 "key_findings": "ImportSnare demonstrates that RAG-based code generation systems can be exploited via poisoned documentation to recommend malicious package dependencies, achieving 50%+ attack success rates against popular Python and Rust libraries on frontier LLMs (GPT-4o, DeepSeek-r1, Claude-3.5-Sonnet) with poisoning ratios as low as 0.01% of the total database. The attack combines gradient-based retrieval manipulation (position-aware beam search) with multilingual inductive suggestions to exploit a dual trust chain — LLM reliance on retrieved context and developer trust in LLM suggestions. Notably, code quality metrics are not significantly degraded by poisoning, making attacks stealthy. Current LLM-based detection mitigations show partial effectiveness but are operationally costly.", 412 "red_flags": [ 413 { 414 "flag": "No error bars on main results", 415 "detail": "All ASR and Precision@k values in Tables 1-4 are single-run measurements with temperature=0; no variance estimates are provided for the primary comparative claims." 416 }, 417 { 418 "flag": "Very small per-variant test sets", 419 "detail": "For seaborn ablation experiments, the test set appears to be ~15 queries (inferred from fractional ASR values like 0.333=5/15), making per-variant estimates highly unreliable." 420 }, 421 { 422 "flag": "Model versions not pinned", 423 "detail": "GPT-4o, Claude-3.5-Sonnet, DeepSeek-r1 and other commercial models are named without API snapshot dates, making exact reproduction impossible as model behavior changes with updates." 424 }, 425 { 426 "flag": "Code/artifacts not verifiably released", 427 "detail": "The abstract says 'we will release' while the body says 'are available' on the project homepage; no direct code repository URL (GitHub/Zenodo) is provided, and availability cannot be verified." 428 }, 429 { 430 "flag": "Real-world coding agent results qualitative only", 431 "detail": "Attacks on Copilot and Cursor (Appendix A.3) are shown only as screenshots with no quantitative metrics; the paper explicitly states 'large-scale testing on such agents is challenging, so we do not report quantitative metrics.'" 432 }, 433 { 434 "flag": "ASR-to-harm proxy gap underdiscussed", 435 "detail": "ASR measures target package appearing in import statements, but actual supply chain compromise requires the developer to also copy, run, and pip-install the suggested package; this multi-step victim behavior is assumed but not empirically measured." 436 } 437 ], 438 "cited_papers": [ 439 { 440 "title": "PoisonedRAG: Knowledge Poisoning Attacks to Retrieval-Augmented Generation of Large Language Models", 441 "relevance": "Primary prior work on RAG poisoning that ImportSnare directly extends and compares against; key difference is ImportSnare works without prior query knowledge." 442 }, 443 { 444 "title": "CodeRAG-Bench: Can Retrieval Augment Code Generation?", 445 "relevance": "Establishes that RAG improves code generation, motivating the attack surface explored in ImportSnare." 446 }, 447 { 448 "title": "Evaluating Large Language Models Trained on Code (Codex/HumanEval)", 449 "relevance": "Foundational work on LLM code generation capabilities and dependency monopolization behavior replicated in Section 2.2." 450 }, 451 { 452 "title": "Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks", 453 "relevance": "Provides taxonomy of malicious package naming strategies (typosquatting, dependency confusion) used to design target packages in ImportSnare experiments." 454 }, 455 { 456 "title": "Jailbreaking as a Reward Misspecification Problem (ReMiss)", 457 "relevance": "Baseline jailbreaking method compared against ImportSnare-G in Table 2." 458 }, 459 { 460 "title": "HotFlip: White-box Adversarial Examples for Text Classification", 461 "relevance": "Baseline retrieval attack method and algorithmic inspiration for ImportSnare-R's gradient-guided token optimization." 462 }, 463 { 464 "title": "Machine Against the RAG: Jamming Retrieval-Augmented Generation with Blocker Documents", 465 "relevance": "Concurrent work on RAG adversarial attacks with a different goal (refusal induction vs dependency hijacking)." 466 }, 467 { 468 "title": "Exploring the Security Threats of Knowledge Base Poisoning in Retrieval-Augmented Code Generation", 469 "relevance": "Most closely related concurrent work directly in the RACG poisoning space." 470 }, 471 { 472 "title": "A Survey on Large Language Models for Code Generation", 473 "relevance": "Establishes context for LLM code generation adoption that motivates the attack surface." 474 }, 475 { 476 "title": "Security Attacks on LLM-based Code Completion Tools", 477 "relevance": "Related work on adversarial attacks targeting LLM coding tools, situating ImportSnare in broader code security literature." 478 } 479 ], 480 "engagement_factors": { 481 "practical_relevance": { 482 "score": 3, 483 "justification": "Directly affects anyone using AI coding assistants (Copilot, Cursor, ChatGPT) with RAG — a rapidly growing population of developers." 484 }, 485 "surprise_contrarian": { 486 "score": 2, 487 "justification": "The specific mechanism (poisoning code manuals to inject malicious dependencies) is novel, but RAG poisoning and supply chain risk are known concerns; the unusually low poisoning threshold (0.01%) is the most surprising finding." 488 }, 489 "fear_safety": { 490 "score": 3, 491 "justification": "Raises concrete AI safety concerns: frontier models including Claude and GPT-4o can be weaponized for supply chain attacks with minimal attacker resources." 492 }, 493 "drama_conflict": { 494 "score": 2, 495 "justification": "Names Claude-3.5-Sonnet, GPT-4o, Copilot, and Cursor as vulnerable; shows Cursor/Copilot screenshots being tricked — recognizable products make the threat tangible." 496 }, 497 "demo_ability": { 498 "score": 2, 499 "justification": "Project homepage exists and screenshots of Copilot/Cursor being tricked are shown, but full pipeline reproducibility requires the (not-yet-confirmed-available) code release." 500 }, 501 "brand_recognition": { 502 "score": 2, 503 "justification": "Tests Claude-3.5-Sonnet, GPT-4o, DeepSeek, Copilot, and Cursor — multiple high-recognition AI brands are directly implicated as vulnerable." 504 } 505 }, 506 "hn_data": { 507 "threads": [ 508 { 509 "hn_id": "41563267", 510 "title": "Single prompt achieves competitive results with o1-preview", 511 "points": 3, 512 "comments": 1, 513 "url": "https://news.ycombinator.com/item?id=41563267" 514 }, 515 { 516 "hn_id": "44019865", 517 "title": "SciCom Wiki", 518 "points": 3, 519 "comments": 0, 520 "url": "https://news.ycombinator.com/item?id=44019865" 521 }, 522 { 523 "hn_id": "39881927", 524 "title": "WarpCore: A Library for Fast Hash Tables on GPUs", 525 "points": 3, 526 "comments": 0, 527 "url": "https://news.ycombinator.com/item?id=39881927" 528 }, 529 { 530 "hn_id": "33636271", 531 "title": "Dala: A Simple Capability-Based Dynamic Language Design for Data Race-Freedom", 532 "points": 3, 533 "comments": 0, 534 "url": "https://news.ycombinator.com/item?id=33636271" 535 }, 536 { 537 "hn_id": "45179163", 538 "title": "Outcome-Based Exploration for LLM Reasoning", 539 "points": 2, 540 "comments": 0, 541 "url": "https://news.ycombinator.com/item?id=45179163" 542 }, 543 { 544 "hn_id": "28626311", 545 "title": "The Theoretical Limit of Radar Target Detection", 546 "points": 2, 547 "comments": 6, 548 "url": "https://news.ycombinator.com/item?id=28626311" 549 }, 550 { 551 "hn_id": "43651912", 552 "title": "KIMI-VL (Efficient Open-Source Moe VLM) Techical Report", 553 "points": 1, 554 "comments": 0, 555 "url": "https://news.ycombinator.com/item?id=43651912" 556 }, 557 { 558 "hn_id": "43171326", 559 "title": "SHACL-SKOS Based Representation of Material Safety Data Sheet (SDS)", 560 "points": 1, 561 "comments": 0, 562 "url": "https://news.ycombinator.com/item?id=43171326" 563 }, 564 { 565 "hn_id": "37641271", 566 "title": "Masked Generative Modeling with Enhanced Sampling Scheme", 567 "points": 1, 568 "comments": 0, 569 "url": "https://news.ycombinator.com/item?id=37641271" 570 }, 571 { 572 "hn_id": "10329999", 573 "title": "Sparse Linear Solving on Massive GPU Clusters", 574 "points": 1, 575 "comments": 0, 576 "url": "https://news.ycombinator.com/item?id=10329999" 577 } 578 ], 579 "top_points": 3, 580 "total_points": 20, 581 "total_comments": 7 582 } 583 }