Andrej Karpathy, the former Tesla AI director and OpenAI cofounder, is calling a recent Python package attack "software horror"—and the details are genuinely alarming. A compromised version of LiteLLM, one of the most downloaded AI libraries on PyPI with 97 million monthly downloads, briefly turned a routine pip install into a credential theft operation capable of exfiltrating SSH keys, AWS and Google Cloud credentials, Kubernetes configs, crypto wallets, SSL private keys, CI/CD secrets, and full shell histories.
The malicious versions—1.82.7 and 1.82.8—were uploaded directly to PyPI on March 24, bypassing LiteLLM's official GitHub release pipeline. The attack was traced to TeamPCP, a threat actor on a multi-week campaign through developer and security tooling. They had already compromised Aqua Security's Trivy scanner days earlier, which gave them access to LiteLLM maintainer BerriAI's PyPI publish token.
How a bug in the malware actually saved thousands of developers
The poisoned package was live for roughly two hours before PyPI quarantined it—and the only reason it got caught that fast was a mistake in the attacker's own code. Developer Callum McMahon was installing a Cursor MCP plugin that pulled LiteLLM as a transitive dependency. Version 1.82.8 caused his machine to run out of RAM and crash. That crash set off the alarm. "If the attacker didn't vibe code this attack," Karpathy wrote on X, "it could have been undetected for many days or weeks."
Karpathy says the incident is a reason to rethink how developers use dependencies
Karpathy used the incident to revisit a long-standing concern: that the software industry's reliance on dependency trees creates enormous, largely invisible attack surfaces. Every package in a project's chain is a potential entry point. His suggestion—increasingly his default—is to use LLMs to extract or replicate simple functionality instead of importing entire libraries.
Maintainers at BerriAI have since engaged Mandiant for investigation and advised immediate credential rotation across the board. Docker images, which pin dependencies, were confirmed unaffected.
The TOI Tech Desk is a dedicated team of journalists committed to...
Read MoreThe TOI Tech Desk is a dedicated team of journalists committed to delivering the latest and most relevant news from the world of technology to readers of The Times of India. TOI Tech Desk’s news coverage spans a wide spectrum across gadget launches, gadget reviews, trends, in-depth analysis, exclusive reports and breaking stories that impact technology and the digital universe. Be it how-tos or the latest happenings in AI, cybersecurity, personal gadgets, platforms like WhatsApp, Instagram, Facebook and more; TOI Tech Desk brings the news with accuracy and authenticity.
Read Less
Start a Conversation
Post comment