Remember when some dude detonated a sophisticated RV bomb in downtown Nashville next to some very expensive telecomms stuff after warning people to flee and it was out of the news before midnight?
Software horror: litellm PyPI supply chain attack.
Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords.
LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm.
Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks.
Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages.
Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
@karpathy The LiteLLM dependency incident didn't "just happen" though. This is part of a larger campaign
LiteLLM already extends to supply chain security fallout for other projects: https://t.co/7bL3kNHP15
BREAKING: Saudi Arabia has reportedly asked Pakistan to repay a USD 6.3 billion loan after Pakistan failed to honor the bilateral defense pact, under which an attack on one is considered an attack on both. Saudi officials are reportedly unable to reach Pakistan’s PM & army chief.
The Muslim world is divided about Iran:
Muslim countries in favor of removing the regime:
Jordan 🇯🇴
Kuwait 🇰🇼
UAE 🇦🇪
Saudi Arabia 🇸🇦
Oman 🇴🇲
Qatar 🇶🇦
Bahrain 🇧🇭
Muslim countries against the removal of the regime:
Great Britain 🇬🇧
France 🇫🇷
Spain 🇪🇸
This isn't just about Iran. Every country watching this is doing the math. Every country that has been quietly drifting toward Beijing's orbit, betting that China is the future, is watching Beijing issue press conferences while its strategic partner gets regime-changed.
The multipolar world was never a reality. It was a theory, a brand, an aspiration shared by countries that had grievances against American power. But they had no actual capacity to replace it.
And when the moment of truth arrived, all Russia and China could do is say, “sorry for your loss.”
🔥🔥🔥Breaking! The UK Online Harms bill was a joint Democrat US and UK project! Sponsored by Soros partner Omidyar! And they also created AN INTERNATIONAL NETWORK OF CENSORSHIP NGO’s!
*Note : @CCDHWATCH introduced me to Carnegie UK and contributed significantly to research
The UK Online Safety origins were funded and worked on by a Soros Democracy Alliance Partner (Omidyar’s Reset/Luminate). And also the Global Trump resistance org, Avaaz.
Omidyar Reset CEO, Ben Scott was a Hillary Clinton/Obama State Dept staffer. Omidyar Luminate also worked with the State depts Global Engagement Center and also Biden’s State Depts International Fund for Public Interest Media. Both active in censorship.
🔥Conveniently, the European Commission and the UK, both on the same day, published their proposals for regulating online harms.🤔
Carnegie UK primary staff are:
Lorna Woods
William Perrin
Maeve Walsh
William Perrin was given credit for the creation of the UK Ofcom. Obviously William and his cohorts pushed to have online harms regulated by Ofcom.
William Perrins wife, Fran, is presently on the board of directors of, Labour Together. Fran is the daughter of Lord Sainsbury. Also, Labour Together earlier started the Center For Countering Digital Hate (CCDH). Both William and Fran donated to Labour Together.
William Perrin and Professor Woods received OBEs in recognition for their work in the Queen’s Birthday Honours List in 2020 (For Online Safety Act).
Also Carnegie UK worked with 50 activist orgs in writing the UK Online Hate bill. Although I could never find a complete list of those 50.
But later when they completed writing this bill in Oct 2023, they moved their work to a new website called the Online Safety Act Network. (OSA)Where they discuss implementation and changes as needed.
At the OSA site I found a list of half of their activist orgs which likely mirrors those from Carnegie UK.
Here’s a few noteworthy ones:
Avaaz - Global Trump Resistance
CCDH - Started By Labour Together
Demos UK
Isd global - Worked with Hamilton68 hoaxers
Reset - Soros Democracy Alliance partner (Omidyar)
Carnegie UK Trust, https://t.co/JFXzUnApWw, Institute for Strategic Dialogue and The German Marshall Fund (hamilton68 Russian bot hoaxers) of the USA worked together to support G7 Deliberations convening an internet safety INTERNATIONAL pathfinder GROUP of NGOs for the UK Chair. I imagine this is why many of the same NGO’s work on EU and other countries censorship efforts.
I did find an International group that all these folks belong to, so it’s likely this. It’s called the Global Alliance Against Digital Hate & Extremism. Here’s some from their massive list:
Carnegie UK
Avaaz
Center For Countering Digital Hate
Demos UK
Fair Vote UK
Far Right Observatory
ISD Global
MEDIA MATTERS (oh my goodness )
Reset
The Sparrow Project (Charged Terrorist founded / Pro Marx revolutionary activism)
Vote Run Lead
This Global Alliance doesn’t like Trump very much either.
“Trump is a known racist populist demagogue with a dark record of capitalising on popular rage and frustration over economic hardships and scapegoating racial minorities and refugees.”
“We are concerned that Trump could use his online presence to spread conspiracy theories and support anti-democratic far-right movements across the world. Trump has repeatedly expressed admiration for Russian dictator Putin.”
Carnegie UK also admits that their work was reflected in the approach adopted in the European Union’s Digital Services Act and to some extent in the UNESCO Guidelines on Internet for Trust.”
Another interesting element is that Carnegie UK Trust came from the same family as the Carnegie Endowment for International Peace (CEIP). Carnegie folks talk, and mingle on occasions. Ex CIA William Burns worked at CEIP when this UK censorship craze was started at Carnegie UK. And he was CIA director yet again as Biden developed his global censorship collusion utilizing Luminate
Thousands of Chinese “fishing boats” recently began moving in precise military-style formations in the East China Sea. They weren’t fishing. They were forming massive lines hundreds of miles long—and staying there for hours.
🔥🔥🔥Liberation Road, previously called Freedom Road Socialist Organization (FRSO) is responsible for major riots dating back to at least Ferguson. Including the George Floyd riots too.
Liberation Road supports the Beijing line. And some of their members live in China.
Liberation road also now runs NAARPR which was previously headed by the communist Angela Davis in the 1970’s.
May 25, the day George Floyd was killed, the NAARPR issued a call for a National Day of Protest for Sat, May 30. And expanded quickly into 11 cities.
In June 2020, BLM itself was coordinated nationwide by a Liberation Road umbrella group called the Movement for Black Lives (MBL).
My observation? Obamas Chicago is where all things evil seem to lead as far as communist roots for protests. Tons of orgs lead back there. That’s likely why Obama is Marxist in the first place.
Tomorrow’s hearing will be a waste if they just dip into one org, the DSA. Instead they need to delve deeper into the secretive and equally old groups.
@DataRepublican it’s a harsh read, but highly suggested by me.
@Weaponization hopefully you will see this!
I’m globally dead to the water. Not a single IP can get this out.
I was gonna get a video for points. I’ll settle for letting me get this out.
Lord, I’m exposing it all