NHacker Next
  • new
  • past
  • show
  • ask
  • show
  • jobs
  • submit
LiteLLM PyPI has been compromised an hour ago, do not update (futuresearch.ai)
27 points by Bullhorn9268 2 days ago | 5 comments
1 days ago [-]
darkteflon 1 days ago [-]
We recently switched to pnpm, in part to guard against supply chain attacks (https://pnpm.io/supply-chain-security).

Reading this got me wondering whether uv has something similar, and indeed it does appear to (https://docs.astral.sh/uv/reference/settings/#exclude-newer)

nateb2022 7 hours ago [-]
Wherever practical, I also recommend using devcontainers, so that in addition to breaking supply chain security, large-scale damage would require an unpatched sandbox exploit too.
rgambee 2 days ago [-]
It's also been reported to their GitHub: https://github.com/BerriAI/litellm/issues/24512
Bullhorn9268 2 days ago [-]
yeah, updated in the post
parad0x0n 2 days ago [-]
Thank you!
Mooshux 13 hours ago [-]
[dead]
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
Rendered at 04:04:00 GMT+0000 (Coordinated Universal Time) with Vercel.