PeterRE: https://mstdn.social/@hkrn/116284264915152671
lol oh my god i feel **so fucking smug** right now, it's incredible. my whole body is tingling.
i was using this package in one of my projects. i found it had a bug, and when i went to maybe try to make a contribution to the open source repository, i found it to be a huge shitpile of vibe-coded mess. methods that were thousands of lines long with **hundreds** of arguments, it was impossible, and **very** alarming. it was clear to me that no one was watching the shop, so i immediately set about removing it from my project. and now, this. π€
there are **tons** of AI-related projects that use LiteLLM. it is a key part of the basic infrastructure of LLM-based development. if you use an LLM-based project, there is a good chance it uses LiteLLM.
(if you're curious, it does this very useful thing of standardizing LLM APIs into a single format. makes it easy for your app to switch between Anthropic, OpenAI, Google, z.ai, etc.)
this is actually a huge reason i have decided not to jump into LLM and AI agent-related development. the ecosystem is (as you would expect) run and maintained by people who are all-in on vibe coding, so a package you might like and include in your project could easily become a dangerous, unmaintainable mess within months. i don't know if people understand how brittle the whole thing is. everything is constantly, **constantly** changing.
like, it's moving **way** too fast for anyone to be able to tell if things are going to break or get injected with some malware. the whole thing is a house of cards built on top of a bomb.
let's see, who can i tag about this... @davidgerard will definitely want to know. @tante maybe. idk, tag your favorite cyber-security person. this might be the mother of all LLM supply chain attacks lol. @briankrebs
plenty of good chatter on Hacker News about it. https://news.ycombinator.com/item?id=47501729
looks grim!!
based on some commits in the repo, seems like it was these guys: https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/
picking through the various bits and pieces of this story, i kind of think what really happened is the dev accounts got pwned, and then the attackers were able to push a bad version to PyPi and people pip installed it from there. so as far as a "supply chain" attack, LiteLLM is the part of the supply chain that got attacked, it's not like they accidentally vibe-coded something malicious into their project.
but this still goes back to what i was saying: this AI ecosystem is developing **way** too fast and without the kind of maturity that is naturally required when you have lots of people working on a thing. so with berri.ai, you had ~2 guys in their 20s building this thing at break-neck speed that became the linchpin to waaaaay too much of the "AI" ecosystem and now look what's happened.
synlogic4242@peter like how OpenAI just hired the guy who "made" OpenClaw. but its not clear to me how much of that he truly designed and wrote himself (ie. like a real programmer or software engineer) vs how much was result of him prompting an LLM to spit it out. He appeared to have tons of repos and was a self-promoting YouTube Influencer type more than a real programmer.
Mark Kristensson@peter and @dangoodin sometimes hangs out here
Glenn Fitzpatrick
@peter Yup, I was like "didn't I just read about these guys like an hour ago??"
@gfitzp @peter lots of the crypto/blockchain bros jumped ship for AI/LLMs a few years ago, after Bitcoin price collapsed and tons of their mining hardware risked becoming worthless. but lots of that hardware could be repurposed from mining blocks to doing training/inference. not perfect fit but better than nothing
Dan Sugalski@peter I am, for one rare moment, actually glad to read the HN comments. The one from the dude complaining that blocking all downloads of the compromised package breaks all his setups because they're written to automatically pull a bunch of packages off the net every time they start was... :chefskiss:
@[email protected] lmao oh my god that one is amazing π
Chaucerburnt@wordshaper @peter my technical literacy is at the level where 90% of the discussion reads like "why would anybody be fnorbing the blatimatronic quindlewurble instead of pretarnishing the distro with spleem 2.037?" and yet the stupidity of that comment still shone through to me like the Beacon of Gondor.
Andrew@wordshaper @peter <whisper>people do that?</whisper>
(Who am I kidding? Of course people do that.)
The Orange Theme@peter Love everyone reinventing security from first principles, although "maybe don't use the fucking slop extruder" is apparently not an option. I mean, the second top comment begins: "We just can't trust dependencies and dev setups."
You absolutely can trust dependencies, you just have to use ones that were not written by fucking amateur grifters!
David Gerard@davidgerard @peter @[email protected] @briankrebs Jia Tan (and APT-class hackers in general) will be having a field day mowing through the FOSS AI ecosystem, since its dominated by young newbs and the intellectually lazy. like a chainsaw through butter
Dogiedog64@tante @davidgerard @briankrebs @prietschka @peter
@prietschka You're gonna get a laugh out of this one, methinks.
Not A Number@peter is wrapping a vibe coded mess into a package so it looks reasonable the new sub-prime mortgage?
Paul Rietschka
Trammell Hudson
mathew
mx alex tax1a - 2020 (6)@peter this is why, when presented with the mandate to use this stuff at work, we told our boss "ok, but, we're going to be developing our own toolchain"
Alessandro Corazza π¨π¦That xkcd comic with the stacked blocks, but instead of one guy in Nebraska, it's LLM slop.
Thomas Sturm@peter Who could have seen this coming?
Flock of Cats π π π βοΈ
Jon@peter it isnβt even necessary to compromise repos. If a malicious actor posts enough malicious code that gets mingled with the LLM training data, some poor souls will start vibe-coding malicious code directly into their own products.
Tael π AC26@peter The crypto wallet checker in this compromise really underlines the fact that there's so much overlap between LLM boosters and crypto boosters. It's all the same marks. They just found something easier to sell to people.
@tael i think also, banks and payment processors have made it so much more difficult to steal and do anything with credit card numbers that there's not much point in going after those anymore, especially when finding someone's crypto passphrase is like picking up money off the ground.
@peter It's easy to siphon crypto, yeah, but turning that into spendable money has gotten much, much more difficult than it used to be.
spinnyspinlock@peter oh my a day ending in -y
Slab Bulkhead@peter Semi-related: anyone know why that issue had hundreds of bot replies like "this worked for me"? Is that reputation farming or an active strategy to bury important information in slop?
@slab_bulkhead people were saying it's a thing this particular group does to muddy the water. pretty clever!
gemelen@peter
I could also see from the description on what's stolen by the credential collecting part - almost all tools and their config files are those that don't follow XDG directories structure.
So, if an attacked computer configured properly, these credentials are just not there to be stolen. That's kinda hilarious.
An example: even if I have to have a .ssh in root of the homedir, it's a symlink into the .config/ssh, where no keys are present in the ~/.config/ssh (and config file is parameterised, so it doesn't include key paths, for example).
I could also see from the description on what's stolen by the credential collecting part - almost all tools and their config files are those that don't follow XDG directories structure.
So, if an attacked computer configured properly, these credentials are just not there to be stolen. That's kinda hilarious.
An example: even if I have to have a .ssh in root of the homedir, it's a symlink into the .config/ssh, where no keys are present in the ~/.config/ssh (and config file is parameterised, so it doesn't include key paths, for example).
Luna Lactea@peter lmao my ass off