Olivia
Online
lyvd
@vuly16
Independent Researcher and University Lecturer. Founder of My opinions are my owns.
Vietnam
Joined February 2013
954 Following
159 Followers
962 Posts
https://t.co/u2ViF76nKK
Software horror: litellm PyPI supply chain attack.
Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords.
LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm.
Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks.
Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages.
Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
Interested in boosting the performance of LLMs in detecting malicious npm packages, and at the same time, saving the number of tokens. Check out our recent study titled "Taint-Based Code Slicing for LLMs-based Malicious NPM Package Detection" on Arxiv https://t.co/xisZe0n5OH
We will be presenting our poster, "TYPOSQUATTING ATTACKS ON THE RUST ECOSYSTEM," at the AsiaCCS conference in Hanoi this August. We are probably the first to investigate squatting attacks on Rust packages in https://t.co/AQDLdgZeJA. Please stay tuned for our preprint.
Who to follow
Au Gai (R. G. Kula)
@Augaiko
Pro-Retweeter and on both rain and sunny days a Professor at The University of Osaka.
Foutse
@SWATLab
SWAT Lab. aims to develop technologies and tools to help improve the quality and the development productivity of AI intensive and cloud-based software systems.
Jirat Pasuksmit
@jiratpasuksmit
Ph.D. in Software Engineering, Machine Learning Engineer at Atlassian
Get into the New Year dance party spirit: PANIC AT THE DISTRO 💃 🕺 🎇
We went on a mission to find out:
⭐ What measures have maintainers at Linux distributions implemented or considered implementing to counter malware?
⭐ How effective are current malware detection tools at identifying malicious Linux packages?
Read more on the blog: https://t.co/wMvY7QmF0W
Pleased to share our blog post titled: "Panic! at the Distro: A Study of Malware Prevention in Linux Distributions". https://t.co/dF63HftZTa
The paper is available on arXiv: https://t.co/GAORQgQjeU.
PSA: The popular @solana/web3.js library has been affected by a supply chain attack.
Compromised versions contain injected malicious code that steals private keys from unsuspecting developers and users, enabling attackers to drain crypto wallets.
⬇️ This is a developing story
Call for Participation of CCS Doctoral Symposium, this is the first time CCS is organizing a doctoral symposium, please join us! https://t.co/DOwppjoO7F
Slides of our @ICSEconf 2023 presentation titled "bad snakes: understanding and improving python package index malware scanning" are available at https://t.co/6aK7COqFnL
Thank you for your attention and look forward to the future ICSE conferences.
We are excited to launch Open Source Insights https://t.co/scLeAV5iVF API! This makes critical security metadata for 50M pkg versions across 5 major ecosystems (Go,Maven,PyPI,npm & Cargo) universally accessible with a single API call (no signup, keys) https://t.co/6vayC9Z0iV
Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps” | FortiGuard Labs https://t.co/ASXFUwi2Ds
Attention developers! Lolip0p, a threat actor, has uploaded rogue packages to the PyPI repository with the goal of dropping #malware on compromised systems.
Read: https://t.co/u802nNWvu0
#infosec #cybersecurity #hacking #programming #coding
PyTorch has identified a malicious dependency with the same name as the framework's 'torchtriton' library. This has led to a successful compromise via the dependency confusion attack vector. https://t.co/1BVCADCm7t Stay safe. This is why you need different dev environment
The Android team has open sourced our internal Rust Training! It's a four day course covering the full spectrum of Rust, from basic syntax to advanced topics like generics and error handling. It also includes Android-specific content on the last day.
https://t.co/5U3kmRruKG
12 tips for becoming a successful engineer from ChatGPT:
1. Develop a strong foundation in math and science.
2. Learn to think critically and solve problems effectively.
3. Keep up with the latest advances and developments in your field.
Great news! Our Bad snakes paper has just been accepted at @ICSEconf 2023 conference.
We will be working on the camera ready version of the paper. Meantime, you can find the preprint here https://t.co/48OI0eVvbk
Securing the Machine Learning Supply Chain!
https://t.co/rSBkFadrS6
Listen 👏 to 👏 maintainers. 👏
They understand requirements and priorities, & have a personal stake in preventing attacks.
https://t.co/gJ6ny50A3Y
My second blog post with Chainguard :) https://t.co/OGirsikpQ2
Full paper: https://t.co/48OI0eVvbk
Scans used by Python Package Index (PyPI) to find malware fail to catch 41% of bad packages, and also triggers many false positives. The details here from @roblemos https://t.co/MJ2rdzjd1r
Last Seen Users on Sotwe
TS Sarah Alexis 
Seen from Malaysia
JANDA PIRANG
Seen from Indonesia
PuzzleHeads
Seen from United States
David_lychan18
Seen from Vietnam
smocked human
Seen from Turkey
sertsiken
Seen from Turkey
MasterCharles🇦🇺 (23k)
Seen from France
Jordan bait
Seen from Spain
areeya_2020
Seen from Thailand
Domraj Dom
Seen from India
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.6M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers