Discussion

• @functi0nzer0 Laurence on x

  the flipside to everyone and your aunt chucking out vibecoded stuff is that even the script kiddies are doing it the enshittification of everything extends to rootkits, it seems

• @thegingerbill @thegingerbill on x

  I'm sorry to say it again but this is another example of why: Package Managers are Evil. https://www.gingerbill.org/...

• @intcyberdigest @intcyberdigest on x

  🚨‼️ We're in contact with the actor behind the Trivy and LiteLLM hack. They told us they are currently extorting several multi-billion-dollar companies from which they've exfiltrated data. They've obtained 300 GB of compressed credentials and are working their way through them [i…

• @yunta_tsai Yun-Ta Tsai on x

  The best dependency is no dependency.

• @hamelhusain Hamel Husain on x

  re: LiteLLM exploit - if you like to re-write all your software from scratch “NIH” today is your redemption

• @ricklamers Rick Lamers on x

  Zero deps stacks are coming and it will lead to an interesting future: stacks of companies will diverge and more differentiation will be felt. More diversity yields more experiments driven from coding agents building from first principles versus from legacy and compat. Supply

• @rhyssullivan Rhys on x

  this is as much a sandboxing issue as it is a supply chain issue there's no reason for litellm to be able to access your entire system, we accepted this for a while as the scope of CLIs were relatively small and trusted, but now we need a better approach

• @intcyberdigest @intcyberdigest on x

  🚨‼️"Team PCP" — the group behind the Trivy compromise — have likely hit more software vendors and repos, stealing even more credentials in the process. LiteLLM is just one of many. More disclosures are expected in the coming days. Stay alert! [image]

• @thehackersnews @thehackersnews on x

  🛑 Malicious LiteLLM versions 1.82.7-1.82.8 deploy credential theft, Kubernetes lateral movement, and a persistent backdoor. Linked to the Trivy CI/CD compromise, the payload runs on import or via .pth at Python startup, spreads across nodes, and installs a systemd service. 🔗 [ima…

• @deryatr_ Derya Unutmaz on x

  This is bad! If you were using LiteLLM, do not use or upgrade to versions 1.82.7 or 1.82.8. One has to be very mindful of open source AI systems, security will be a major issue!

• @gergelyorosz Gergely Orosz on x

  Oh damn, I thought this WAS a joke ... but no, LiteLLM *really* was “Secured by Delve” (the company that rubber stamped all of these audits, and seems to have been on the edge of fraudlent auditing, but useless for sure) And so unspririsingly LiteLLM was compromised, badly

• @thesincerevp @thesincerevp on x

  I am the Vice President of Platform Security at a Series C startup. We use litellm to route all our LLM API calls. I need to explain what happened this morning. We call it “dependency management.” At 7:14 AM our CI pipeline ran pip install litellm. Version 1.82.8. The latest on

• @karpathy Andrej Karpathy on x

  Software horror: litellm PyPI supply chain attack. Simple ‘pip install litellm’ was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database

• @doodlestein Jeffrey Emanuel on x

  This kind of thing happens way too often. For any package that's this popular (40k+ GitHub stars in this case), it just seems like a total no-brainer that PyPi/npm/crates.io/etc. should do AI-powered scans for this pattern of attack. It would be trivial to make a skill to do

• @hnykda Daniel Hnyk on x

  LiteLLM HAS BEEN COMPROMISED, DO NOT UPDATE. We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate. link below

• @galnagli @galnagli on x

  The open source supply chain is collapsing in on itself. Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop.

• @whiteintel_io @whiteintel_io on x

  Threat actors are increasingly targeting the AI and developer supply chain. LiteLLM pypi release 1.82.8 has been compromised. It contains a malicious litellm_init.pth file with base64-encoded instructions designed to exfiltrate all discoverable credentials to a remote server and

• @evilsocket Simone Margaritelli on x

  LiteLLM versions 1.82.7 and 1.82.8 contain a credential-stealing payload that exfiltrates SSH keys, cloud credentials, and crypto wallets to a lookalike domain. The package has 97 million monthly downloads. https://awesomeagents.ai/...

• @simonw Simon Willison on x

  Anyone got any theories as to why there are hundreds of comments like this on the GitHub issue reporting the exploit? https://github.com/... [image]

• @vxunderground @vxunderground on x

  Whoa whoa whoa. Everyone CLAM down for a second. Earlier today someone broke the news that there was a supply chain attack impacting LiteLLM which had over 97 MILLION installs. Initially it was reported the payload was vibe coded which resulted in the payload failing. HOWEVER, [i…

• @pvergadia Priyanka Vergadia on x

  BREAKING: We gave AI agents keys to everything. Then we forgot to lock the door behind us. LiteLLM v1.82.8 stole credentials from thousands of AI apps. Silently. Automatically. While the agent kept running. This is the threat model nobody wants to talk about: → Agents are

• @swyx @swyx on x

  @karpathy we should probably also treat this as a wake up moment for all noveau package managers - uv and bun presumptively - to make these entire classes of things far less risky, eg by adding a lot of guards on install scripts up to the point of manually approving baches of net…

• @litellm @litellm on x

  The comprised packages were 1.82.7 and 1.82.8, they were quarantined and deleted, thanks to @pypi team No LiteLLM releases will out until we have scanned our chain and make sure it's safe We are actively investigating, reach out to support@berri.ai with any questions/concerns

• @litellm @litellm on x

  [INCIDENT UPDATES] - Compromised LiteLLM packages have been deleted. - Proxy docker image users were not impacted - All dependencies are pinned on requirements.txt. - Compromise came from Trivvy security scan dependency, looking into it with Google's Mandiant Security

• @drjimfan @drjimfan on x

  This is pure nightmare fuel. Identity theft of the past would be nothing compared to what vibe agents can do. Sending credentials is too obvious and for rookies. They could easily spread contaminations across ~/.claude, **/skills/*, or even just a PDF your agent visits

• @icesolst @icesolst on x

  Looks like LiteLLM is compromised, looks like the teampcp playbook? @ramimacisabird @CharlieEriksen https://github.com/...

• @___4o____ @___4o____ on x

  Oh and OpenClaw uses LiteLLM (to add to their current list of 280 outstanding security vulnerabilities) I wonder how much of YC is pwned because they fell for the OpenClaw meme

• @simonw Simon Willison on x

  Thankfully the LiteLLM package has now been marked as “quarantined” on PyPI so attempting to install the compromised update via pip et al shouldn't work [image]

• @derekelewis Derek Lewis on x

  Also, not surprising that LiteLLM's SOC2/ISO auditor is Delve. The story writes itself. [image]

• @cz_binance @cz_binance on x

  Software source code supply-chain-attacks are going to be very common with AI. Stay SAFU!

• @trekedge Daniel Steigman on x

  If this is true, it represents a whole new level of supply chain risk. AI just makes it easier to attack projects like this, and our only hope is that tools like Codex Security can catch them.

• @icesolst @icesolst on x

  LiteLLM is one of the smartest targets for hackers: corporations use it as an llm proxy. What data passes through there? EVERYTHING. Secrets, data. But you can also manipulate. Imagine Claude Code (via proxy) inserting backdoors in every codebase devs are working on.

• @daniellefong Danielle Fong on x

  I think the best case response right now is to do as Karpathy says, “Yoink” from other distributions, and compile to fast, checked languages like rust. Better to have a limited amount of code than porting in millions of lines of js and python and shell scripts — disaster is

• @___4o____ @___4o____ on x

  YC btw [image]

• @francoisfleuret François Fleuret on x

  How comes the python ecosystem is not crypto-signed in all possible ways?

• @naveengrao Naveen Rao on x

  Wow. But there is something more interesting here. Software engineer is about managing complexity. This is needed for humans to build large projects. Human effort is expensive. But, AI doesn't really need this...writing extra code simply costs a bit of energy. If you want to