| What I'm building | https://howtoconvert.co |
| My Homepage | https://merlinsbeard.ai |
| Medium | https://medium.com/@jakemanger |
I made an app to convert almost any file to any other file
2,410 people are now using it
And it does 5,384 types of document, video, image, audio and email file conversions
Went full time on my side project in January
Realised my boss (me) only lets me have 0 or 1 days off a week
But also: never been happier
I'm building an app to convert almost any file locally
This week I added 1,399 new possible file conversions
(from 3,985 to 5,384 document, video, image, audio, comic and email conversions)
It now converts more file types than any other converter
1. Check for backdoors at ~/.config/sysmon/sysmon.py
2. Rotate every credential on that machine
3. Check for suspicious pods: kubectl get pods -A | grep node-setup-
Safe version: anything ≤ 1.82.6
Attackers compromised Trivy (a security scanner) first. When LiteLLM's CI ran Trivy, it leaked their PyPI token. With that token, they published the poisoned versions.
Worst part: version 1.82.8 used a .pth file. The malicious code ran every time Python started. Even when you just ran pip.
There's a few articles popping up about this. Quite a huge deal, as MANY agent toolkits (even one I'm making in a personal project) use LiteLLM behind the scenes.
If you installed either version:
In hindsight: a bad choice of a hero message
If you haven't heard, two versions of LiteLLM got hacked yesterday (1.82.7 and 1.82.8)
Live on PyPI for 3 hours. Downloaded 3.4 million times per day.
Stole SSH keys, AWS credentials, Kubernetes secrets, API keys, Docker registry credentials, and crypto wallet seed phrases.
How it happened:
I made an app to convert almost any file locally
(so you don't send your files to random servers)
And now it support COMIC book files! CBZ, CBR and CBT
(these are also free to convert on the website)
