radar

DEEP_DIVE_STORY.LNK

howtonotcode.com // protocol_active
arrow_back_ios RETURN_TO_FEED
READ_TIME 0:31_MIN
LIVE_REDACTION
PYPI PUB_DATE: 2026.03.25

LITELLM PYPI COMPROMISE SHOWS WHY TO TURN ON DEPENDENCY COOLDOWNS NOW

A malicious LiteLLM 1.82.7/1.82.8 PyPI release briefly stole developer creds on install, highlighting the value of package “cooldown” age gates. Simon Willison...

LiteLLM PyPI compromise shows why to turn on dependency cooldowns now

A malicious LiteLLM 1.82.7/1.82.8 PyPI release briefly stole developer creds on install, highlighting the value of package “cooldown” age gates.

Simon Willison details how LiteLLM 1.82.8 shipped a base64 credential stealer via a .pth file that executed on install, with 1.82.7 hiding a similar payload behind an import. PyPI quarantined the package within hours, but the stealer vacuumed SSH keys, cloud configs, Docker creds, and shell histories if it landed post.

He also surveys built-in “dependency cooldown” features now available across major package managers—pnpm, Yarn, Bun, Deno, uv, pip, and npm—so teams can delay picking up very fresh releases while the ecosystem vets them roundup.

[ WHY_IT_MATTERS ]
01.

Supply-chain attacks increasingly target build and developer machines, and this one ran on install without an import.

02.

Most package managers now support minimum-age gates, giving you a simple, low-friction guardrail against malicious fresh releases.

[ WHAT_TO_TEST ]
  • terminal

    Enable a 48–72 hour minimum release age in your primary package managers (pnpm/Yarn/npm/Bun/Deno/uv/pip) and validate exemptions for internal packages.

  • terminal

    Run a targeted secret sweep on any environments that may have installed LiteLLM 1.82.7/1.82.8 and test credential rotation playbooks end-to-end.

[ BROWNFIELD_PERSPECTIVE ]

Legacy codebase integration strategies...

  • 01.

    If any dev or CI host installed LiteLLM 1.82.7/1.82.8, assume compromise: rotate SSH, cloud, Docker, Git, and registry tokens; rebuild affected images.

  • 02.

    Roll out cooldown gates and lockfiles in existing repos; add per-package overrides for trusted internal artifacts to reduce friction.

[ GREENFIELD_PERSPECTIVE ]

Fresh architecture paradigms...

  • 01.

    Start with a default cooldown window, an internal registry mirror, and reproducible builds; document an exemption workflow.

  • 02.

    Scope CI credentials to read-only where possible and keep tokens ephemeral to reduce blast radius from similar incidents.

arrow_back
PREVIOUS_DATA_LOG
From agent demos to governed fleets: JetBrains Central signals the AI agent control plane
Initialize_Return_to_Core
LINK_STATUS: 127.0.0.1 (SECURE)
NEXT_DATA_LOG
Google donates llm-d LLM inference gateway to CNCF Sandbox
arrow_forward
SUBSCRIBE_FEED
Get the digest delivered. No spam.
Terminate_subscription anytime.