Ashish Vaid

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

The @Dhurandhar2 is a HORROR. It is a horror for all filmmakers who built their careers and their fortunes on dumbed down, over the top cinema. The cinema that demanded the brain to be left at home . The cinema that was rammed down our throats full of LOUDNESS and MASALA which will be now soon on a ventilator struggling for breath #Dhurandar2 will scare the living hell out of every filmmaker who still worships the godly hero In #Dhurandhar2 , @RanveerOfficial killed all those heroes who never bleed ,and never feel pain , and then over the dead bodies of those kind of outdated heroes ,he gave birth to a true real hero , flawed, yet dangerous and unpredictable and also his heroism comes from his actions instead of being thrusted upon the heads with ear drum shattering music Compared to this new kind of hero , the godly heroes will suddenly look ridiculous, almost like clowns in a circus. And then their blind worshippers will feel naked, exposed and scared hearing of the collections #Dhurandhar2 will terrify those who built their careers on action set pieces where physics is a joke and gravity is non existent . The scenes, where men are thrown fifty feet in the air, bounce off the ground like rubber balls, survive explosions that would vaporise cities, and still deliver punch dialogues while dusting their shoulders will be hunted and killed by the new audience After the audience saw action that actually hurts, that actually bleeds, the flying goon brigade will suddenly feel cheap, fake, and embarrassingly ridiculous . The filmmakers who still swear by wires and cranes to fake uplift the heroes will now wake up shivering in cold sweat. It will make the pan india directors tremble in their chairs , the ones who still believe characters are created by hairdos, costumes, photo shopped six packs, and designer clothes instead of intrinsic psychological depth When the audience of #Dhurandhar2 saw a hero whose power comes from his mind and not his biceps, the hair and costume school of cinema will look like kindergarten dress up. Dhurandhar 2 is not just a film. It is a verdict. With Dhurandhar 2 @AdityaDharFilms cut off the head of that kind of cinema , the one that insulted the intelligence of the audience , the one that replaced stories with bloated gaudy visuals , the one that turned heroes into gods and audiences into sheep The collections of #Dhurandhar2 are now in the process of burying all those earlier makers beliefs in a grave so deep that even their ghosts can’t come out And the screams you are hearing now of #Dhurandhar2 box office collections is the collective sound which is announcing their deaths. If the makers of those kind of films which are already under production , or about to start shooting , don’t go back to their drawing boards and exorcise themselves by watching #Dhurandhar2 multiple times even GOD can’t save their SPIRITS But the problem is , even if they intend to do that , they might have tonnes of money, but where will they get the brain of @AdityaDharFilms ? 😳😳😳

Today I'm releasing my entire newsletter archive (350+ posts) and all podcast transcripts (300+ episodes) as AI-friendly Markdown files. Plus an MCP server and GitHub repo. A few months ago I shared my podcast transcripts on a whim, and y'all built the most amazing things—an RPG game, a parenting wisdom site, infographics, a Twitter bot, and 50+ other projects. Let's see what happens when I give you even more data. Grab the data here: LennysData.com. Paid subscribers get all of the data (some 350 posts and 300 transcripts). Free subscribers get a subset. I don’t think anyone’s ever done anything like this before, and I’m excited to give you this excuse to play with that AI tool you've been meaning to try. Here’s my challenge to you: build something, and let me know about it. I’ll pick my favorite and give you a free 1-year subscription to the newsletter. Just post a link to your project in the comments here: lennysnewsletter.com/p/how-i-built-…. If you’ve already built something, slurp in this new data and submit it, too. I’ll pick a winner on April 15th. Check out today's newsletter post for inspiration on what you could to build: lennysnewsletter.com/p/how-i-built-… LFG.

@orbitai One last scavenger hunt for old time sake

Incredible- love it!

@orbitai This will be one of the important technologies in this new era. Much more to come

Today, we’re showcasing @OrbitAI, the identity layer of the internet that resolves human entities across the web. People discovery represents 10% of web searches, but it’s still a scavenger hunt to find who you’re looking for. Orbit has reorganized the web from the ground up, unifying all data about a person in one searchable graph. We built an interface for the X community to preview it. Try it out👇

Anyone that backs this should be voted out. Simple as that.

Awesome.

Voice mode is rolling out now in Claude Code. It’s live for ~5% of users today, and will be ramping through the coming weeks. You'll see a note on the welcome screen once you have access. /voice to toggle it on!

In the next version of Claude Code.. We're introducing two new Skills: /simplify and /batch. I have been using both daily, and am excited to share them with everyone. Combined, these kills automate much of the work it used to take to (1) shepherd a pull request to production and (2) perform straightforward, parallelizable code migrations.

Introducing Claude Code Security, now in limited research preview. It scans codebases for vulnerabilities and suggests targeted software patches for human review, allowing teams to find and fix issues that traditional tools often miss. Learn more: anthropic.com/news/claude-co…

Agree and add Agency to taste as the other key human attribute that will matter.

@Gurhi_jalebi @dieworkwear thoughts?

700k H-1B workers have somehow become the villains in a country of 330,000,000. That’s 0.4% of the workforce. 0.2% of the population, A rounding error turned into a national crisis. Can you spot it? If you don’t see this as an attack on legal immigrants. I don’t have anything left to say.

@niccruzpatane Innovation 😅

I’m sorry…what was Apple thinking when they chose this color

Did my MAX plan just get a boost?

This is awesome! Just tried it. @charlieholtz maybe I missed it, is there a way to use existing cloned local repos? Or repos that are not pushed to GitHub?