@Dios_0ficial @grok a friend wants to know the name of the girl in the red dress. Can you help her out?
English
Phiz
11.4K posts
Phiz
@PhizComms
Professional Communicator - CEO, PMCS - Digital Asset Management/GR/PR $BTC
Southern US เข้าร่วม Mart 2022
1.6K กำลังติดตาม4.6K ผู้ติดตาม
🔥🚨BREAKING: Chick-fil-A in Florida just fired the entire staff featured in this video
English
Someone just poisoned the Python package that manages AI API keys for NASA, Netflix, Stripe, and NVIDIA.. 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine.
The attacker picked the one package whose entire job is holding every AI credential in the organization in one place. OpenAI keys, Anthropic keys, Google keys, Amazon keys… all routed through one proxy. All compromised at once.
The poisoned version was published straight to PyPI.. no code on GitHub.. no release tag.. no review. Just a file that Python runs automatically on startup. You didn’t need to import it. You didn’t need to call it. The malware fired the second the package existed on your machine.
The attacker vibe coded it… the malware was so sloppy it crashed computers.. used so much RAM a developer noticed their machine dying and investigated. They found LiteLLM had been pulled in through a Cursor MCP plugin they didn’t even know they had.
That crash is the only reason thousands of companies aren’t fully exfiltrated right now. If the code had been cleaner nobody notices for weeks. Maybe months.
The attack chain is the part that gets worse every sentence.
TeamPCP compromised Trivy first. A security scanning tool. On March 19. LiteLLM used Trivy in its own CI pipeline… so the credentials stolen from the SECURITY product were used to hijack the AI product that holds all your other credentials.
Then they hit GitHub Actions. Then Docker Hub. Then npm. Then Open VSX. Five package ecosystems in two weeks. Each breach giving them the credentials to unlock the next one.
The payload was three stages.. harvest every SSH key, cloud token, Kubernetes secret, crypto wallet, and .env file on the machine.. deploy privileged containers across every node in the cluster.. install a persistent backdoor waiting for new instructions.
TeamPCP posted on Telegram after: “Many of your favourite security tools and open-source projects will be targeted in the months to come.. stay tuned.”
Every AI agent, copilot, and internal tool your company shipped this year runs on hundreds of packages exactly like this one… nobody chose to install LiteLLM on that developer’s machine. It came in as a dependency of a dependency of a plugin. One compromised maintainer account turned the entire trust chain into a credential harvesting operation across thousands of production environments in hours.
The companies deploying AI the fastest right now have the least visibility into what’s underneath it.
Andrej Karpathy@karpathy
Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
English
🚨HOLY CRAP!!!
The Houston TSA line has now stretched to a mind-blowing 150 minute-wait-time and has snaked around the airport, down an escalator and into BAGGAGE CLAIM!!!
THIS IS INSANE!!!!
English
@GraveWolfSif @40kARTdotcom Why do you think she’s having to go to underage ones?
English
@40kARTdotcom It is genuinely terrifying that there could be 10 men that'd want to participate, let alone thousands.
What sort of demented, degenerate, dumbshit man would participate in the sloppiest of seconds?
GTFOH.
English
Man's decided the cops aren’t doing enough so now he's launching desserts at speeding cars 😭
English
This self censoring sh*t on YouTube is out of control. I can barely get through a video without hearing something stupid like “unalived” and SA. It’s like it all have to be approved by the thought police before it gets to me. I could have sworn I checked the “over 21” box.
English
@AdamDoesMovies_ Adam, there are 5 categories of drink:
Water
Milk
Juice
Beer and
Coke
There is no “pop”.
English
@PhizComms Well, I sit corrected. A billion dollars for Supergirl😉
English
@Nerdrotics Dude! Claudia Sarne was the lead singer for 12 Rounds, who Trent Reznor discovered. She's married to Atticus Ross who's Trent's partner in NIN right now. This is exciting news! Check out their best song: youtube.com/watch?v=2ZPB-B…
YouTube
English
@Nerdrotics Dude! Claudia Sarne is/was the lead singer for 12 Rounds, who Trent Reznor discovered. She's married to Atticus Ross, who is currently 1/2 of NIN. This is exciting news! I cant wait to hear this. Check out their biggest song.
youtube.com/watch?v=2ZPB-B…
YouTube
English
🚨NEW VIDEO CLIP
SUPERGIRL IS IN BIG TROUBLE – James Gunn’s DCU Problems Run Deeper Than You Think👇
🔥youtube.com/watch?v=1EQc0K…🔥
YouTube
English
Los Angeles is so bad that you will get stabbed charging your car at the city library by a homeless man, and when an ambulance comes to save you, ANOTHER homeless man steals the ambulance while they’re tending to you at the scene leaving you no way to get to the hospital, and you die.
Sounds like South Africa…
KTLA@KTLA
The family of a man who was stabbed to death by a homeless man while he was charging his electric car outside the Downey City library has filed a claim against the city seeking $40 million in damages. Details: ktla.com/news/local-new…
English
@cardilabardi @best_clips__ You mean there’s a girl named after my favorite sauce?
English
@best_clips__ She shouldnt be cast w those women this btch belong in baddies w tesehki
English
