20+ hour, 35+ min ago  (1414+ words) I'm the engineer who got PyPI to quarantine litellm. Here's the full recording of how I found it. Developers not trained in security research can now sound the alarm at a much faster rate than previously. AI tooling has sped…...

21+ hour, 42+ min ago  (919+ words) 47,000 downloads in 46 minutes. 2,337 dependent packages. 88% unprotected. Yesterday we reported that litellm versions 1.82.7 and 1.82.8 on PyPI contained malware that exfiltrates credentials and attempts lateral movement across Kubernetes clusters. PyPI quarantined both versions within 46 minutes. We queried the BigQuery PyPI dataset for…...

1+ day, 18+ hour ago  (341+ words) How a supply chain attack on PyPI got us through a Cursor-launched MCP server the old-fashioned way It started with my machine stuttering hard, something that really shouldn't be happening on a 48GB Mac. htop taking 10s of seconds to load, CPU…...

2+ day, 6+ hour ago  (296+ words) A compromised release steals credentials and spreads to Kubernetes clusters Update (12:30 UTC): version 1.82.7 is also compromised, in addition to 1.82.8 Update (13:03 UTC): The public GitHub issue has been closed as "not planned" by the owner, and is spammed by hundreds of…...

1+ week, 19+ hour ago  (465+ words) Excel's not the only one who likes turning random text into dates. If you work with dates in JavaScript, you've probably reached for new Date(someString) at some point. It's convenient: pass in a string, get back a Date object....

1+ week, 2+ day ago  (422+ words) General inquiry? You can reach us at [email protected]. Seven operations for processing data with LLM-powered web research agents. Each takes a DataFrame and a natural-language instruction. screen takes a DataFrame and a natural-language filter predicate, evaluates each row using web…...