JUST IN: 🇺🇸 Fed Chair Jerome Powell warns US national debt is growing "substantially" faster than the economy and says it's not sustainable.
"It will not end well if we don't do something fairly soon."
🚨 Anthropic CEO Dario Amodei: “We are so close to these models reaching the level of human intelligence, and yet there doesn't seem to be a wider recognition in society of what's about to happen … There hasn't been a public awareness of the risks.”
Someone just poisoned the Python package that manages AI API keys for NASA, Netflix, Stripe, and NVIDIA.. 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine.
The attacker picked the one package whose entire job is holding every AI credential in the organization in one place. OpenAI keys, Anthropic keys, Google keys, Amazon keys… all routed through one proxy. All compromised at once.
The poisoned version was published straight to PyPI.. no code on GitHub.. no release tag.. no review. Just a file that Python runs automatically on startup. You didn’t need to import it. You didn’t need to call it. The malware fired the second the package existed on your machine.
The attacker vibe coded it… the malware was so sloppy it crashed computers.. used so much RAM a developer noticed their machine dying and investigated. They found LiteLLM had been pulled in through a Cursor MCP plugin they didn’t even know they had.
That crash is the only reason thousands of companies aren’t fully exfiltrated right now. If the code had been cleaner nobody notices for weeks. Maybe months.
The attack chain is the part that gets worse every sentence.
TeamPCP compromised Trivy first. A security scanning tool. On March 19. LiteLLM used Trivy in its own CI pipeline… so the credentials stolen from the SECURITY product were used to hijack the AI product that holds all your other credentials.
Then they hit GitHub Actions. Then Docker Hub. Then npm. Then Open VSX. Five package ecosystems in two weeks. Each breach giving them the credentials to unlock the next one.
The payload was three stages.. harvest every SSH key, cloud token, Kubernetes secret, crypto wallet, and .env file on the machine.. deploy privileged containers across every node in the cluster.. install a persistent backdoor waiting for new instructions.
TeamPCP posted on Telegram after: “Many of your favourite security tools and open-source projects will be targeted in the months to come.. stay tuned.”
Every AI agent, copilot, and internal tool your company shipped this year runs on hundreds of packages exactly like this one… nobody chose to install LiteLLM on that developer’s machine. It came in as a dependency of a dependency of a plugin. One compromised maintainer account turned the entire trust chain into a credential harvesting operation across thousands of production environments in hours.
The companies deploying AI the fastest right now have the least visibility into what’s underneath it.
🚨Anthropic accidentally leaked their next model. it’s called Claude Mythos. and it’s terrifying.
a CMS misconfiguration exposed nearly 3,000 unpublished internal files. buried in them is Anthropic’s most powerful model ever. codename capybara. training is done and already in early access testing.
their own draft blog post says it’s currently far ahead of any other AI model in cyber capabilities and warns it “presages models that can exploit vulnerabilities in ways that far outpace defenders.” holy fuck.
read that again. the company that built it is scared of what it can do.
they’re not shipping it publicly because of the chaos it can cause. only selected organizations get access first. pentagon is definitely crying right now 💀
anthropic built something so powerful they’re afraid to release it. and we only found out because someone forgot to private it.
now that we all can build anything with ai
we're going to all have to figure out distribution
the wealthiest people will be marketers over the next 10 years
Delegation is buying back your highest value hours with someone else's lower cost ones.
Automation is building back your highest value hours with a machine's lower cost ones.
The eighth and final vote to legalize #UsoAdulto in Colombia is this Thursday.
It's in the bag.
Kudos to everyone who is making it happen, but especially @JuanKarloslos.
¡Felicitaciones #Colombia!
Congrats Alberta,
Our flower options have now become a sad mix of large LPs. What was once a mix of amazing craft producers is now a sad shell.
There's a few reasons why so let's jump into it.
The publication of this Notice of Intent initiates a 60-day public comment period. Health Canada is seeking feedback and comments on potential amendments to the CR. Input received will ensure that regulatory amendments are informed by and responsive to the cannabis industry, other interested parties, and the public. Health Canada welcomes input for 60 calendar days until May 24, 2023.
The publication of this Notice of Intent initiates a 60-day public comment period. Health Canada is seeking feedback and comments on potential amendments to the CR. Input received will ensure that regulatory amendments are informed by and responsive to the cannabis industry, other interested parties, and the public. Health Canada welcomes input for 60 calendar days until May 24, 2023.
Canadians are allergic to the concept of suing the government, but, hear me out, maybe it's not always a bad thing.
A more litigious cannabis industry could be a very good thing.
If the state can justify exorbitantly funding the extinction of a plant species, why don't they start with Poison Ivy?
Brutally persecute those on whose land they find it, for starters.
Then they can graduate to the Poison Oak and Giant Hogsweed.
#ExtinctionIsForever