/
Navigation
Chronicles
Browse all articles
Explore
Semantic exploration
Research
Entity momentum
Nexus
Correlations & relationships
Story Arc
Topic evolution
Drift Map
Semantic trajectory animation
Posts
Analysis & commentary
Pulse API
Tech news intelligence API
Browse
Entities
Companies, people, products, technologies
Domains
Browse by publication source
Handles
Browse by social media handle
Detection
Concept Search
Semantic similarity search
High Impact Stories
Top coverage by position
Sentiment Analysis
Positive/negative coverage
Anomaly Detection
Unusual coverage patterns
Analysis
Rivalry Report
Compare two entities head-to-head
Semantic Pivots
Narrative discontinuities
Crisis Response
Event recovery patterns
Connected
Search: /
Command: ⌘K
Embeddings: large
TEXXR
TEXXR

Chronicles

The story behind the story

days · browse · Enter similar · o open

Two versions of LiteLLM, an interface for accessing LLMs, have been removed from PyPI after a supply chain attack injected them with credential-stealing code

Two versions of LiteLLM, an open source interface for accessing multiple large language models, have been removed from the Python Package Index …

The Register Thomas Claburn

Related Coverage

Discussion

  • @karpathy Andrej Karpathy on x
    Software horror: litellm PyPI supply chain attack. Simple ‘pip install litellm’ was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database
  • @vxunderground @vxunderground on x
    Whoa whoa whoa. Everyone CLAM down for a second. Earlier today someone broke the news that there was a supply chain attack impacting LiteLLM which had over 97 MILLION installs. Initially it was reported the payload was vibe coded which resulted in the payload failing. HOWEVER, [i…
  • @simonw Simon Willison on x
    Thankfully the LiteLLM package has now been marked as “quarantined” on PyPI so attempting to install the compromised update via pip et al shouldn't work [image]
  • @drjimfan @drjimfan on x
    This is pure nightmare fuel. Identity theft of the past would be nothing compared to what vibe agents can do. Sending credentials is too obvious and for rookies. They could easily spread contaminations across ~/.claude, **/skills/*, or even just a PDF your agent visits
  • @hnykda Daniel Hnyk on x
    LiteLLM HAS BEEN COMPROMISED, DO NOT UPDATE. We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate. link below
  • @ricklamers Rick Lamers on x
    Zero deps stacks are coming and it will lead to an interesting future: stacks of companies will diverge and more differentiation will be felt. More diversity yields more experiments driven from coding agents building from first principles versus from legacy and compat. Supply
  • @derekelewis Derek Lewis on x
    Also, not surprising that LiteLLM's SOC2/ISO auditor is Delve. The story writes itself. [image]
  • @litellm @litellm on x
    [INCIDENT UPDATES] - Compromised LiteLLM packages have been deleted. - Proxy docker image users were not impacted - All dependencies are pinned on requirements.txt. - Compromise came from Trivvy security scan dependency, looking into it with Google's Mandiant Security
  • @gergelyorosz Gergely Orosz on x
    Oh damn, I thought this WAS a joke ... but no, LiteLLM *really* was “Secured by Delve” (the company that rubber stamped all of these audits, and seems to have been on the edge of fraudlent auditing, but useless for sure) And so unspririsingly LiteLLM was compromised, badly
  • @pvergadia Priyanka Vergadia on x
    BREAKING: We gave AI agents keys to everything. Then we forgot to lock the door behind us. LiteLLM v1.82.8 stole credentials from thousands of AI apps. Silently. Automatically. While the agent kept running. This is the threat model nobody wants to talk about: → Agents are
  • @litellm @litellm on x
    The comprised packages were 1.82.7 and 1.82.8, they were quarantined and deleted, thanks to @pypi team No LiteLLM releases will out until we have scanned our chain and make sure it's safe We are actively investigating, reach out to support@berri.ai with any questions/concerns
  • @daniellefong Danielle Fong on x
    I think the best case response right now is to do as Karpathy says, “Yoink” from other distributions, and compile to fast, checked languages like rust. Better to have a limited amount of code than porting in millions of lines of js and python and shell scripts — disaster is
  • @thegingerbill @thegingerbill on x
    I'm sorry to say it again but this is another example of why: Package Managers are Evil. https://www.gingerbill.org/...
  • @rhyssullivan Rhys on x
    this is as much a sandboxing issue as it is a supply chain issue there's no reason for litellm to be able to access your entire system, we accepted this for a while as the scope of CLIs were relatively small and trusted, but now we need a better approach
  • @yunta_tsai Yun-Ta Tsai on x
    The best dependency is no dependency.
  • @___4o____ @___4o____ on x
    Oh and OpenClaw uses LiteLLM (to add to their current list of 280 outstanding security vulnerabilities) I wonder how much of YC is pwned because they fell for the OpenClaw meme
  • @deryatr_ Derya Unutmaz on x
    This is bad! If you were using LiteLLM, do not use or upgrade to versions 1.82.7 or 1.82.8. One has to be very mindful of open source AI systems, security will be a major issue!
  • @thehackersnews @thehackersnews on x
    🛑 Malicious LiteLLM versions 1.82.7-1.82.8 deploy credential theft, Kubernetes lateral movement, and a persistent backdoor. Linked to the Trivy CI/CD compromise, the payload runs on import or via .pth at Python startup, spreads across nodes, and installs a systemd service. 🔗 [ima…
  • @trekedge Daniel Steigman on x
    If this is true, it represents a whole new level of supply chain risk. AI just makes it easier to attack projects like this, and our only hope is that tools like Codex Security can catch them.
  • @hamelhusain Hamel Husain on x
    re: LiteLLM exploit - if you like to re-write all your software from scratch “NIH” today is your redemption
  • @functi0nzer0 Laurence on x
    the flipside to everyone and your aunt chucking out vibecoded stuff is that even the script kiddies are doing it the enshittification of everything extends to rootkits, it seems
  • @thesincerevp @thesincerevp on x
    I am the Vice President of Platform Security at a Series C startup. We use litellm to route all our LLM API calls. I need to explain what happened this morning. We call it “dependency management.” At 7:14 AM our CI pipeline ran pip install litellm. Version 1.82.8. The latest on
  • @intcyberdigest @intcyberdigest on x
    🚨‼️"Team PCP" — the group behind the Trivy compromise — have likely hit more software vendors and repos, stealing even more credentials in the process. LiteLLM is just one of many. More disclosures are expected in the coming days. Stay alert! [image]
  • @___4o____ @___4o____ on x
    YC btw [image]
  • @intcyberdigest @intcyberdigest on x
    🚨‼️ We're in contact with the actor behind the Trivy and LiteLLM hack. They told us they are currently extorting several multi-billion-dollar companies from which they've exfiltrated data. They've obtained 300 GB of compressed credentials and are working their way through them [i…
  • @francoisfleuret François Fleuret on x
    How comes the python ecosystem is not crypto-signed in all possible ways?
  • @naveengrao Naveen Rao on x
    Wow. But there is something more interesting here. Software engineer is about managing complexity. This is needed for humans to build large projects. Human effort is expensive. But, AI doesn't really need this...writing extra code simply costs a bit of energy. If you want to
  • @swyx @swyx on x
    @karpathy we should probably also treat this as a wake up moment for all noveau package managers - uv and bun presumptively - to make these entire classes of things far less risky, eg by adding a lot of guards on install scripts up to the point of manually approving baches of net…
  • @cz_binance @cz_binance on x
    Software source code supply-chain-attacks are going to be very common with AI. Stay SAFU!
  • @simonw Simon Willison on x
    Anyone got any theories as to why there are hundreds of comments like this on the GitHub issue reporting the exploit? https://github.com/... [image]
  • @doodlestein Jeffrey Emanuel on x
    This kind of thing happens way too often. For any package that's this popular (40k+ GitHub stars in this case), it just seems like a total no-brainer that PyPi/npm/crates.io/etc. should do AI-powered scans for this pattern of attack. It would be trivial to make a skill to do
  • @icesolst @icesolst on x
    LiteLLM is one of the smartest targets for hackers: corporations use it as an llm proxy. What data passes through there? EVERYTHING. Secrets, data. But you can also manipulate. Imagine Claude Code (via proxy) inserting backdoors in every codebase devs are working on.
  • @evilsocket Simone Margaritelli on x
    LiteLLM versions 1.82.7 and 1.82.8 contain a credential-stealing payload that exfiltrates SSH keys, cloud credentials, and crypto wallets to a lookalike domain. The package has 97 million monthly downloads. https://awesomeagents.ai/...
  • @galnagli @galnagli on x
    The open source supply chain is collapsing in on itself. Trivy gets compromised → LiteLLM gets compromised → credentials from tens of thousands of environments end up in attacker hands → and those credentials lead to the next compromise. We are stuck in a loop.
  • @whiteintel_io @whiteintel_io on x
    Threat actors are increasingly targeting the AI and developer supply chain. LiteLLM pypi release 1.82.8 has been compromised. It contains a malicious litellm_init.pth file with base64-encoded instructions designed to exfiltrate all discoverable credentials to a remote server and
  • @icesolst @icesolst on x
    Looks like LiteLLM is compromised, looks like the teampcp playbook? @ramimacisabird @CharlieEriksen https://github.com/...
  • @lukaszolejnik Lukasz Olejnik on bluesky
    LiteLLM, an important part of AI software infrastructure, has just been compromised.  The payload was a stealer that grabbed environment variables, SSH keys, credentials, ..., crypto wallets , then exfiltrated everything.  LiteLLM used Trivy (a security scanner). futuresearch.ai/…
  • r/netsec r on reddit
    How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM
  • @deanwball Dean W. Ball on x
    I would love to see policymakers take 50x greater interest in issues like this and 99.9% less interest in issues like AI water use.
  • @mitsuhiko Armin Ronacher on x
    Once again I will point out that it was a massive mistake to not go with min-ver but go with latest semver compatible instead. People argued that you cannot do minver because users would lose out on important security updates. Now we have people upgrade to security issues instead
  • @elonmusk Elon Musk on x
    Caveat emptor
  • @theprimeagen @theprimeagen on x
    he is right again [image]
  • @justintrimble Justin Trimble on x
    Sincere message to all vibecoders, Pls use an isolated computer for all dev.
  • @yuchenj_uw Yuchen Jin on x
    Thought this was fake at first. It's actually real. AI labs like OpenAI and Anthropic will ship cybersecurity agents that continuously scan codebases to replace SOC 2 auditor companies I feel. [image]
  • @juntao Michael Yuan on x
    I am sorry but this one steals you credentials through a a simple ‘pip install’ — often done passively without your knowledge as a dependency. Your OpenClaw bot could install it already on your computer. That's why you need to use Rust for your agents. https://x.com/...
  • @theprimeagen @theprimeagen on x
    > So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks do we have proof of this? I want this to be true so bad
  • @aakashgupta Aakash Gupta on x
    Someone just poisoned the Python package that manages AI API keys for NASA, Netflix, Stripe, and NVIDIA.. 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine. The attacker picked the one package whose entire job is holding every …
  • @paulsolt Paul Solt on x
    Huge security vulnerability with litellm. Might be better to create your own code dependencies and use less open source projects to reduce the risk. Protect yourself and your company. Be cautious about dependencies.
  • @matrosov Alex Matrosov on x
    I worry that the open-source software supply chain is headed in a dangerous direction. The current state of CI/CD is deeply concerning, and the problem extends well beyond GitHub. The speed of AI-driven development only makes things more complicated. We are seeing many security
  • @asmah2107 Ashutosh Maheshwari on x
    The pyramid of dependencies was always a house of cards. One ‘pip install’ and your entire credential store walks out the door, not because you were hacked, but because you trusted a dependency tree no human has ever fully read.
  • @fede_intern @fede_intern on x
    If @ethereum continues with this nonsense of zkVM vibecoded we're gonna end with the L1 fully hacked. We all make mistakes and I'm sure we will get hacked too. The difference is that we try to avoid it. Some irresponsible people have been proposing to vibecode cryptography like
  • @ad0rnai Lan on x
    babe wake up Andrej Karpathy just coined a new software term
  • @wholemars @wholemars on x
    Wow. Be careful installing things from the internet. I think we need some tool where a locally running model can read all the python code being downloaded and detect supply chain attacks before installing. Maybe this could be built into pip / apt etc.