Simiyu

So let me get this straight: we at @FUTURESEARCHAI discover the litellm supply chain attack, report it to PyPI, open the disclosure issue on GitHub, and... @github bans my account? What the hell!?

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

So, @X and @elonmusk refuse to remove this. Notice the 'paid partnership.' Elon Musk and his employees support terrorism, but no one should be surprised. After all, they support the slaughter of women and children across West Asia.

@GeneralWaitish Uliza kuhusu mùshakwe kwa haga ya wakikuyu

Mnakuanga sawa na traditions zote Hadi kuoa cousins, sleeping with dead bodies, wife inheritance, kuweka bachelors jivu kwa matako wakikufa but wait till ifike kwa Wakikuyu mnajam yenu yote. Fanyeni ivi, kuleni mavi.

imagine being a $380B company and nuking a small, community-built Open Source project just because it's better than yours and costs less.

My friend Sammy Mudaki who owns 64 Auto Solutions was given a tender to repair Uasin Gishu County vehicles. For 1 year, the county has not been paying him. Today, the Governor sent county askaris (goons) who forcefully came and took away cars from the garage, threatened him and told him there is nothing he can do to them. They have promised to make sure that he is out of business... How can SMEs survive with these hyenas in power surely?

@jumaf3 If he did no nasty embarrassing deals and he is looking for a hot-blooded partner... am available...

Not all money in your bank account is taxable income... Court warns KRA. There is a company called Konchor Kid Limited. Their business is simple. - They collect money on behalf of clients through its bank accounts. - Pass it to the clients - Retain a commission of 0.2% Meaning, - For every 1 billion they collect, - They earn 2 million shillings. KRA audited them. Saw their bank accounts. And went nuts. - How can billionaires declare an income of 2 million only? KRA became even more dramatic. - They baptized the difference of 998 millions as UNDECLARED INCOME. Then issued a tax demand of 345m. Konchor Kid explained their business model to KRA. - Bro, this billions you see here is not our money. - We only earn 0.2% They even provided client agreements to prove it. But the KRA officers salivating to beat their targets could not hear any of it. Konchor Kid ran to court. The court looked at the case and shook its head. Court affirmed , - The company had fully explained its nature of business. - It had provided sufficient evidence. - KRA had no basis to ignore that. The court declared KRA’s actions were unfair, unreasonable and illegal. As such KRA lost. Lessons. - The govt is setting higher targets for KRA every year. - KRA staff are under insane pressure to beat these targets. - So, KEEP RECORDS. Records. Records. Records. Records are king in tax audits.

Putting out a wish to the universe. I need more compute, if I can get more I will make sure every machine from a small phone to a bootstrapped RTX 3090 node can run frontier intelligence fast with minimal intelligence loss. I have hit page 2 of huggingface, released 3 model family compressions and got GLM-4.7 on a MacBook huggingface.co/0xsero My beast just isn’t enough and I already spent 2k usd on renting GPUs on top of credits provided by Prime intellect and Hotaisle. ——— If you believe in what I do help me get this to Nvidia, maybe they will bless me with the pewter to keep making local AI more accessible 🙏

Trophies are won on the pitch 🇸🇳⭐️⭐️

"In all circumstances, the jury finds in favor of the defendant"

World Bank Group Debars PricewaterhouseCoopers Associates Africa Ltd., PricewaterhouseCoopers Limited, Kenya, and PricewaterhouseCoopers Rwanda Limited worldbank.org/en/news/press-…

World Bank Group debars PwC Associates, PwC Kenya, & PwC Rwanda in connection with collusive & fraudulent practices as part of the Eastern Electricity Highway Project under the First Phase of the Eastern Africa Power Integration Program in Ethiopia. Effectively, PwC Associates, PwC Kenya, PwC Rwanda, & any affiliates they control will be ineligible to participate in Bank Group-financed projects & operations. The World Bank says the settlement agreement provides for a reduced period of debarment in light of the companies’ admission of misconduct, cooperation, strengthening of aspects of their existing integrity compliance program, & voluntary remedial actions. The remedial actions include an internal investigation, internal action against responsible parties, ceasing business with all involved sub-consultants & voluntary restraint from bidding for Bank Group-financed contracts during the settlement agreement negotiations.

@djeduhmaks chopping board imeongezwa character...

Ombachi left us in bad hands.

@metpoliceuk let me get this straight, you lot are going to investigate me for something I’ve already been investigated for, twice, by two separate forces (you were one of them) which both resulted in no further action? Did Mark Rowley get a call from some of his friends?

Iran is a top-ten destination for Kenyan tea. In 2024 we exported goods worth 50 million USD to Iran versus 7 million to Israel. Ignorance and stupidity will be the end of us.

@05BM44 What first aid was administered? I would hate for ntsa to be my goodbye....

Moi Avenue CBD, Nairobi County: Antony Muchai Kiriga, 68, from Githunguri, Kiambu died after being struck with an Empty Gilbey's Gin bottle on his left ear at around 0330Hrs near Ambassador bus stage. He was in company of other two intoxicated men when a disagreement escalated 🧵

I Saved Injective's $500M. They Pay Me $50K. I like hunting bugs on @immunefi . I'm decent at it. - #1 — Attackathon | Stacks - #2 — Attackathon | Stacks II - #1 — Attackathon | XRPL Lending Protocol - 1 Critical and 1 High from bug bounties (not counting this one) Life was good. Then I found a Critical vulnerability in @injective . This vulnerability allowed any user to directly drain any account on the chain. No special permissions needed. Over $500M in on-chain assets were at risk. I reported it through Immunefi. The next day, a mainnet upgrade to fix the bug went to governance vote. The Injective team clearly understood the severity. Then — silence. For 3 months. No follow up. No technical discussion. Nothing. A few days ago, they notified me of their decision: $50K. The maximum payout for a Critical vulnerability in their bug bounty program is $500K. I disputed it. Silence again. No explanation for the reduced payout. No explanation for the 3 month ghost. No conversation at all. To be clear: the $50K has not been paid either. I've seen others share bad experiences with bug bounty payouts recently. I never thought it would happen to me. I can't force them to do the right thing. But I won't let this be forgotten. I will dedicate 10% of all my future bug bounty earnings to making sure this story stays visible — until Injective pays what I deserve. Full Technical Report: github.com/injective-wall…

When they lie like this in 2026 — Imagine what the situation was like around 1945!

And then the rains came…. Nairobi’s flood response is literally in God’s hands. 🙏🏾