The IT security company NetKnights has released version 3.13 of its multi-factor authentication software, privacyIDEA ...

A Python package presented as a privacy-first shortcut to AI models has been unmasked as a supply-chain threat that quietly captures user prompts, leans on a private university service without ...

The cybercrime crew linked to the Trivy supply-chain attack has struck again, this time pushing malicious Telnyx package versions to PyPI in an effort to plant credential-stealing malware on ...

TeamPCP strikes again, with almost identical code to LiteLLM.

PyPI对可能从AI应用和开发者管道中窃取凭证的行为发出警告。此前，广泛使用的大语言模型Python中间件LiteLLM的两个恶意版本曾短暂发布。

LiteLLM 用于统一调度各类大模型 API，月下载量超 9500 万，是 AI 开发的基础设施。攻击者通过泄露的发布凭证绕过代码审核，直接向 PyPI 推送恶意安装包， GitHub 源码无异常，pip 安装即中招 ，隐蔽性极强。

最新上传的LiteLLM Python 版本1.82.7和1.82.8，已被人为恶意植入信息窃取程序。 一旦安装，SSH密钥、AWS凭证和API密钥等数据均会立即泄漏。 目前LiteLLM的维护者Krrish Dholakia，已经公开证实此事。 在恶意版本存在三小时后，PyPI迅速发现了这一漏洞，并将软件包隔离。

最新上传的LiteLLMPython 版本1.82.7和1.82.8，已被人为恶意植入信息窃取程序。 一旦安装，SSH密钥、AWS凭证和API密钥等数据均会立即泄漏。 目前LiteLLM的维护者Krrish Dholakia，已经公开证实此事。 在恶意版本存在三小时后，PyPI迅速发现了这一漏洞，并将软件包隔离。

Andrej Karpathy, the former Tesla AI director and OpenAI cofounder, is calling a recent Python package attack \"software horror\"—and the details are ge.

LiteLLM, a widely used AI developer tool, was hit by a supply chain attack through a malicious PyPI release. The malware stole credentials, spread across systems, and crashed machines. The incident ...

Threat actors impersonating PyPI ask users to verify their email for security purposes, directing them to fake websites. The Python Package Index (PyPI), the default platform for Python’s package ...