Pradeep Nagapuri

2026 is 25% complete.

Every student accepted into Startup School India now gets $25k+ in AI and cloud credits. Apply, get in, and start building: events.ycombinator.com/yc-sus-india

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

LiteLLM HAS BEEN COMPROMISED, DO NOT UPDATE. We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate. link below

2026 is 22% complete.

Early morning at #MarineDrive today. You find solace here. Everywhere else its a dug up mess. #mumbai Passed through #IIT main gate, reminded me of the popular buffalo(student) meme.

.@LewisHamilton’s first podium for Ferrari!! 🏆

Bahrain and Saudi Arabian Grands Prix will not take place in April. #FIA #F1

Strength training🏋️ + #F1 + Claude Code serves Sunday right. 😂

#Mercedes on the straights with the boost is like a rocket 🚀 #F1 #ChineseGP

Atoms. atoms.co/vision

🔴 12 PM.. Many parts of Western suburbs of Mumbai are between 39-40°C stretch🌡️📈 Interiors also 41°C+ Stay hydrated, Mumbaikars 💧

Sumitomo Chemical declared force majeure yesterday, making it the fifth Asian chemical company in a single week. First Chandra Asri in Indonesia, then Yeochun NCC in South Korea. By March 5, Petrochemical Corporation of Singapore had declared force majeure on 1.1 million tons of ethylene capacity on Jurong Island. Aster followed a day later with its cracker running at half capacity. The root cause is the same for all five: naphtha, the feedstock these plants break down into the base chemicals behind plastics, rubber, and packaging. Asian steam crackers source most of their naphtha from the Middle East, and virtually all of it transits the Strait of Hormuz. When the Strait closed, all five lost their feedstock within days. Five force majeures in seven days. This is a massive disruption of the chemicals that hold the global economy together. Polymer prices are already up double digits. Everything downstream gets more expensive from here.

The last time global supply chains broke our business went from $12M to $60M a year. The U.S. imports $115 million a day in specialty chemicals. Among them: tolyltriazole and benzotriazole, the corrosion inhibitors protecting military equipment. Most of that comes from China. Same story with the orthophosphates that keep lead out of our drinking water. When COVID hit, companies that had ignored supply chain risk were exposed. They needed a domestic supplier. We make specialty chemicals from corn sugar, not oil. Our plants sit next to the customer. The lesson: build where the points of failure are. Find the products where one black swan event flips the entire market.

The Strait of Hormuz has been closed for 8 days. Everyone thinks this is about oil. This is about what oil becomes. 92% of the world's sulfur comes from refining oil and gas. Close the Strait of Hormuz and you don't just lose 20 million barrels of crude per day. You lose the feedstock for sulfuric acid, the single most produced chemical on Earth. Sulfuric acid is how we extract copper. It's how we extract cobalt. Without it, you can't make transformers, EV batteries, or the substrates inside every data center on the planet. One chemical, made from one feedstock, shipped through one chokepoint. The cascade goes further: Qatar ships 30% of Taiwan's liquefied natural gas through Hormuz. Taiwan has 11 days of reserves left. TSMC, the company that makes 90% of the world's advanced chips, draws 8.9% of Taiwan's total electricity. No gas, no power, no chips. Then food. 33% of the world's nitrogen fertilizer feedstock moves through the Strait. Half of all humans alive today exist because of synthetic nitrogen. Sulfur, semiconductors, food. That makes three supply chains, one 21-nautical-mile chokepoint, and zero domestic alternatives at scale.

Marine traffic in the Strait of Hormuz since the Iran war began

2026 is 18% complete.

@joy014 @ScuderiaFerrari Add reliability to that 😃, its fun when regulations change unless one team has a dominant package like Redbull(Vettel), Merc(Hamilton), Redbull(Max) in their respective periods of leading the pack.

@npradeep_ @ScuderiaFerrari Lets see, this era Quali + Race pace may be very different.

@ScuderiaFerrari 🤞