@GossiTheDog LiteLLM has a similar supply chain incident. Could be the same group. https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/

@buherator I can't reduce my privileges to user? Let's just continue to run as root. Sounds good :D I like the creative approaches in all of the details. Really interesting stuff in this.

@buherator There is some dubious information in this one. It says the salt part of the bcrypt hash is fixed per user and does not change when a user choses a different password. I did not check if it is actually implemented like this, but wouldn't you usually generate a new salt per password? Also the challenge-response part does not check out. It says the challenge response AND the users password hash is sent back to the server. This would defeat the whole purpose of the challenge response.