PyPI
10 mentions across all digests
PyPI (Python Package Index) is the official Python package repository that has been targeted by multiple supply chain attacks in 2026, including malicious versions of litellm and the telnyx SDK containing credential-harvesting payloads.
GitHub Actions is the weakest link
GitHub Actions' mutable-dependency model and permissive fork defaults enabled a 2024-2026 supply chain attack wave compromising Ultralytics, nx, Trivy, and 23,000+ dependent repositories.
My minute-by-minute response to the LiteLLM malware attack
LiteLLM 1.82.8 was poisoned on PyPI with a malicious `.pth` file executing base64 payloads on install—a supply chain attack on a foundational LLM routing library affecting the entire AI ecosystem.
Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised
Malicious .pth files in LiteLLM 1.82.7 and 1.82.8 (PyPI) automatically steal SSH keys, API tokens, and cloud credentials from any dependent Python project.
LiteLLM Compromised by Credential Stealer
PyPI supply chain attack compromises LiteLLM versions 1.82.7–1.82.8 with malicious `.pth` file harvesting SSH keys, cloud credentials, and crypto wallets on every Python startup.
You don't want long-lived keys
Ephemeral cryptographic keys dramatically reduce security risk and operational burden compared to long-lived credentials—platforms like AWS and GitHub are standardizing temporary access over persistent keys.