Timo Mulder - eu/acc 🇪🇺🇳🇱

French judge Nicolas Gouyou, who issued an arrest warrant for Netanyahu at the ICC: • Visa and Mastercard have blocked all my cards • I cannot make any purchases • I am a judge, yet treated like a criminal • Judges, lawyers, and politicians are being intimidated • A colleague told me my name won’t be removed from the blacklist until Trump’s term ends • Despite intervention by the French president, U.S. authorities have not responded

BREAKING: Just five minutes before Trump's announcement to halt the attacks on Iran, massive trades reportedly hit the market. In one move, $1.5 billion in S&P 500 (ES) futures was bought while $192 million in oil (CL) futures was sold. These orders were 4–6x larger than anything else at the time. The trader seemingly made huge gains. Unusual.

BREAKING: Just five minutes before Trump's announcement to halt the attacks on Iran, massive trades reportedly hit the market. In one move, $1.5 billion in S&P 500 (ES) futures was bought while $192 million in oil (CL) futures was sold. These orders were 4–6x larger than anything else at the time. The trader seemingly made huge gains. Unusual.

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

"The president doing this is crucial. I've seen the polling, but I really hope American people will be with him because he's doing this to make the whole world safer". How judicious on the part of Rutte to cheer a war pushing world toward economic crisis.

5 minutes before Trump’s announcement: * $1.5B notional worth of S&P500 (ES) futures are bought in a single clip. * $192M notional of oil futures (CL) sold. More than 4x-6x any other trade size during the market close. Insiders profited from his lies in broad daylight!