Nerudo Ned Mregi

@hnykda If you have to check and review the tools that are affected across your machine: find / -name "pip" -o -name "pip3" 2>/dev/null | while read p; do echo "=== $p ==="; $p show litellm 2>/dev/null; done

LiteLLM HAS BEEN COMPROMISED, DO NOT UPDATE. We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate. link below

@breath_mirror Langflow Headroom and Aiderchat are affected

check across ALL Python environments (including virtualenvs and conda): find / -name "litellm" -type d 2>/dev/null the malware drops a specific file, check if it exists: find / -name "litellm_init.pth" 2>/dev/null (if this file is found, you are compromised)

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

@pontusab This doesn’t look like a good practice to expose this much information externally.

This is how my usual `/health` endpoint looks like.

SAMURAI: Adapting Segment Anything Model for Zero-Shot Visual Tracking with Motion-Aware check out this SAM2 vs SAMURAI comparison! - paper: arxiv.org/pdf/2411.11922 - code: github.com/yangchris11/sa… - license: Apache-2.0

Optimising Images for Small Memory Devices with Limited Resources, by @NerdGr8 open.substack.com/pub/nerudo/p/o…

🚀 Just released my M5Dial LVGL Project Boilerplate! 🎉 Quickly scaffold and configure an LVGL project for #M5Dial with support for UIs from #SquarelineStudio and #EEZStudio. Perfect for #IoT hardware UI devs! 💻 Check it out on GitHub: [shorturl.at/0y8yk] #Arduino #LVGL

Oh how this place has changed over the year :/ #MyXAnniversary

By my count we've had five Tiger Woods Golf Swing Eras. 1. Young Swing 2. Butch Swing 3. Haney Swing 4. Foley Swing 5. First Comeback Swing With this video, I'm officially declaring the start of a sixth era: 6. The Second Comeback Swing

Tiger Woods tees it up this week 🐅

Explore the world of simple database replication with #ReplicaDB. Hop on this ride with us, and let's experience the simplicity and effectiveness of ReplicaDB together! For more information, check out my blog. nerudo.substack.com/p/database-syn…

ReplicaDB has truly revolutionized the way we manage data for @GetSensure. It has turned complex synchronization tasks into simple operations.

I just published a quick dive into #ReplicaDB in my new blog post. Let's dive into the magic of this no-frills, easy-to-use source-to-sink replication tool. It's time to simplify your database syncing tasks! #ETL #MLOPS

💼 Follow along on this journey of discovery as we take on #MachineLearning, data engineering, and software architecture challenges head-on! [nerudo.substack.com/p/path-to-ml-a…]

👩‍💻 If you're here, I assume you share my affinity for .NET. So, let's dive in together into the world of time-series data, ML.NET, PostgreSQL and more! #DotNet #DataScience

🚀 We started our journey @GetSensure from a humble hackathon initiative. The audacious goal? Disrupting the insurance arena by leveraging Machine Learning (ML) and AI. #MachineLearning #AI #InsurTech