Ryan Miling
94 posts
Ryan Miling
@ryanmiling
PayTech enthusiast, Alchemist of sorts
Boulder, CO Присоединился Şubat 2013
139 Подписки40 Подписчики
Someone just poisoned the Python package that manages AI API keys for NASA, Netflix, Stripe, and NVIDIA.. 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine.
The attacker picked the one package whose entire job is holding every AI credential in the organization in one place. OpenAI keys, Anthropic keys, Google keys, Amazon keys… all routed through one proxy. All compromised at once.
The poisoned version was published straight to PyPI.. no code on GitHub.. no release tag.. no review. Just a file that Python runs automatically on startup. You didn’t need to import it. You didn’t need to call it. The malware fired the second the package existed on your machine.
The attacker vibe coded it… the malware was so sloppy it crashed computers.. used so much RAM a developer noticed their machine dying and investigated. They found LiteLLM had been pulled in through a Cursor MCP plugin they didn’t even know they had.
That crash is the only reason thousands of companies aren’t fully exfiltrated right now. If the code had been cleaner nobody notices for weeks. Maybe months.
The attack chain is the part that gets worse every sentence.
TeamPCP compromised Trivy first. A security scanning tool. On March 19. LiteLLM used Trivy in its own CI pipeline… so the credentials stolen from the SECURITY product were used to hijack the AI product that holds all your other credentials.
Then they hit GitHub Actions. Then Docker Hub. Then npm. Then Open VSX. Five package ecosystems in two weeks. Each breach giving them the credentials to unlock the next one.
The payload was three stages.. harvest every SSH key, cloud token, Kubernetes secret, crypto wallet, and .env file on the machine.. deploy privileged containers across every node in the cluster.. install a persistent backdoor waiting for new instructions.
TeamPCP posted on Telegram after: “Many of your favourite security tools and open-source projects will be targeted in the months to come.. stay tuned.”
Every AI agent, copilot, and internal tool your company shipped this year runs on hundreds of packages exactly like this one… nobody chose to install LiteLLM on that developer’s machine. It came in as a dependency of a dependency of a plugin. One compromised maintainer account turned the entire trust chain into a credential harvesting operation across thousands of production environments in hours.
The companies deploying AI the fastest right now have the least visibility into what’s underneath it.
Andrej Karpathy@karpathy
Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
English
We have multiple chances for super tornado outbreaks through the middle of March! Now is not the time to carve up the National Weather Service! We at Team Dominator have always been huge supporters of our friends at the NWS. Even I cannot make a forecast without their valuable data and forecast model output. Please contact your representative in support of the NWS. Remember those missed tornado warnings in OK in November due to the office being short staffed? These problems could become more widespread with firings
English
@nick_underhill @MikeTriplett People are still charging for opinion based news? Come on guys, it's football
English
Smoke continues to build, so what are the options with Derek Carr?
neworleans.football/2025/02/20/der…
English
This is the biggest takeaway I suggest everyone lock their sights on!
Elon Musk@elonmusk
As it becomes clear that @DOGE is working, you will see the long-term Treasury bill yields fall. And all Americans will benefit from lower interest payments on mortgages, small business debt, credit card and other loans.
English
🚨#BREAKING: Law enforcement are on high alert as over two dozen barges break loose heading down the Ohio River and shutting down multiple bridges
📌#Pittsburgh | #PA
Currently, numerous law enforcement agencies, along with other authorities, are on high alert as approximately twenty-six barges have broken loose and are headed down the Ohio River. Out of an abundance of caution, law enforcement has shut down multiple bridges, including the McKees Rocks Bridge in Pittsburgh, Pennsylvania, and halted all traffic due to this incident. So far, twenty-three barges were loaded and three were empty, with six barges having jammed up against the Emsworth Dam Reports of Extensive Damage has been reported at Peggys Marina. Authorities are asking everyone in the area to please avoid this area until further notice.
Pittsburgh, PA 🇺🇸 English
@unusual_whales _Could be_ done better. I don't think most companies will trust AI with their data/inventions esp if AI is centralized / not on-prem
English
Sam Altman says that all work that doesn't involve a deep emotional connection will be done faster, cheaper by AI.
English
Lyft's, $LYFT, CEO responded today to a clerical error that unintentionally inflated the company's earnings outlook: "First of all, it was on me… It was one zero."
Rather than 500 basis points (5%) of growth for 2024, the actual increase will be 50 basis points (0.5%).
English
What Front Range peak is the most recognizable in your opinion?
#colorado #mountains #denver #coloradosprings #boulder #fortcollins
English
@KylieBearseWX Can’t believe you choose to do this each year
English
49ers defensive end Arik Armstead shares a game check.
He makes $393,055 a game.
49.3% comes out in taxes.
English
To be clear, this is a $185 reduction from the ~$900 increase.
In other words, instead of a $900 property tax increase, #PropHH would give this homeowner a $715 property tax increase & a $5,000 drop in TABOR refunds over the next decade.
Prop HH is a tax increase.
#copolitics
Mike Krause@CompleteKrause
New in @CompleteCO: If Proposition HH passes, the owner of a $500,000 house might enjoy a $185 reduction in property taxes next year. In return, he would give up over $5,000 in #TABOR refunds over the next decade #copolitics pagetwo.completecolorado.com/2023/10/01/gor…
English
English
@inerati Perhaps, but if we should talk more about this, the reason we should is to encourage more people to ship ugly version 1s. This is one of the most successful products ever, so if it started out ugly, don't worry if your first version is.
English
I would love to hear stories from senior+ engineers who pushed fuck ups to prod to know I’m not crazy for feeling some type of way to be told my code quality is poor due to code pushed to prod that I quickly fixed when I found the issues . Just wanna know if this is something common . Also PR requires 2 approvals.
English
@rmascardo I think it appeals more to people that wear glasses or buy expensive sunglasses. Being outside of this customer profile I say "cool, but remember Google Glass's bellyflop?"
English
Google Glass, Snap Spectacles, Apple Vision Pro and now Meta’s glasses! How are folks feeling about all this technology eyewear?
The Verge@verge
Meta’s smart glasses can take calls, play music, and livestream from your face
English