Simon Willison

@productaizery @pelaseyed @doodlestein I just wrote a thing about that! simonwillison.net/2026/Mar/24/pa…

@simonw @pelaseyed @doodlestein Thanks, very helpful. I guess in addition, to protect against zero-days like today's, it is a good practice to delay auto updates by 7 days or more.

This kind of thing happens way too often. For any package that’s this popular (40k+ GitHub stars in this case), it just seems like a total no-brainer that PyPi/npm/crates.io/etc. should do AI-powered scans for this pattern of attack. It would be trivial to make a skill to do this: just check the diff since the last version and look for anything suspicious. I could do this in an hour. Have a big new blob of base64 encoded text? Or any unexplained big mystery blob? Have a new URL string that looks like it could be a sketchy command and control site? Not to mention, these package managers have a ton of additional data, like the IP address of the authenticated user that’s pushing the change. Does this match, or at least have a similar estimated geolocation as all previous connections historically? You can build up a risk profile in this way for every new release. If it looks too suspicious, the AI can flag it and require additional verification steps and put a 48-hour hold on publishing the new version, instead putting it in a public staging area for review by the community along with the analysis explaining why it looked fishy. All this could be done for a couple bucks worth of tokens, tops, for each release. And to keep costs reasonable, you would only do this for these huge projects where a supply chain compromise would impact lots of people and companies. The big AI labs should just offer free tokens to these library projects to do this at scale as a public service.

@productaizery @pelaseyed @doodlestein Key promise that Debian makes is that, aside from security fixes, "software in stable does not change" wiki.debian.org/DebianReleases Ubuntu I believe has a similar policy, albeit they have more frequent releases that Debian

@simonw @pelaseyed @doodlestein What kind of promises do OS package repos make, would you know any links or documentation to this end?

@pelaseyed @doodlestein The registries that DO make those promises are things like the Ubuntu/Debian operating system package repos - there's a reason it can take weeks, months or even years for updates to show up there

@pelaseyed @doodlestein And they mostly shouldn't, can you imagine how uneconomical it would be for a package registry to make guarantees that the packages in that registry are free from malware?

Here's 1T parameter Kimi running at 1.7 tok/s on an M4 Max

Here's Qwen3.5-397B-A17B- a 397B model - using the streaming MoE weights trick to run on an iPhone!

Turns out you can run enormous Mixture-of-Experts on Mac hardware without fitting the whole model in RAM by streaming a subset of expert weights from SSD for each generated token - and people keep finding ways to run bigger models Kimi 2.5 is 1T, but only 32B active so fits 96GB

@readwithai I mean, "support and facilitate the growth of a diverse and international community of Python programmers" is right there in our mission statement python.org/psf/mission/

@simonw Right decision, wrong justification and optics.

Hmm... might be worth giving pypi some money. I would if they hadn't turned down money because they believed in DIE programs and the begged for money saying "python is for everyone".

@realjohnmonarch @bernaferrari @mSanterre Yeah that's why I've not been brave enough to actually ship any of the C that I've had them write for me yet

@simonw @bernaferrari @mSanterre I will note - I don't claim to be a C expert. I don't trust myself writing it *at all*. But that's exactly like you said, why I also wouldn't trust an LLM to write it.

@realjohnmonarch @bernaferrari @mSanterre As always though the trick is to arm them with a good coding agent harness and the right collection of tools - compilers and debuggers and linters and fuzzers and suchlike I don't trust any code produced by a model directly until I've seen the model run it

@realjohnmonarch @bernaferrari @mSanterre I would not have trusted LLMs with C code a year ago but today's models appear to be very good at reasoning through memory management and other tricky aspects That said I'm not enough of a C expert myself to credible evaluate what they're doing!

@witchof0x20 I don't understand how that benefits the attackers though, surely it just makes the issue MORE visible?

@simonw someone on the issue mentioned this is a known tactic for flooding discussions ramimac.me/trivy-teampcp/

Thankfully the LiteLLM package has now been marked as "quarantined" on PyPI so attempting to install the compromised update via pip et al shouldn't work

@OrganicGPT It appears to work fast enough to be interesting on the latest Mac hardware

@simonw wasn't this done like two years ago? and the bottleneck has always been the bandwidth, so I'm not sure aside from being a hobby project what kind of actual use case this will have.

@mSanterre Think about journalists who sometimes need to protect their anonymous sources from governments with subpoena powers

@simonw I'll never understand why people would want to do this unless they're doing criminal activity

The answer eveyone is waiting for is here: there will be more open Qwen models!🚀 In Today's ModelScope DevCon @Nanjing, Jingren made a public appearance and confirmed that Alibaba is committed to continuously open-sourcing new Qwen and Wan models. 🌟Stay tuned!👀