The IT security company NetKnights has released version 3.13 of its multi-factor authentication software, privacyIDEA ...

A Python package presented as a privacy-first shortcut to AI models has been unmasked as a supply-chain threat that quietly captures user prompts, leans on a private university service without ...

AI hiring startup Mercor confirmed it was "one of thousands of companies" affected by the LiteLLM supply-chain attack as the ...

Security teams are scrambling after two malicious releases of the Telnyx Python SDK were uploaded to PyPI on March 27, turning a widely used developer tool into a credential-stealing backdoor that ...

Language package managers like pip, npm, and others pose a high risk during active supply chain attacks. However, OS updates ...

The cybercrime crew linked to the Trivy supply-chain attack has struck again, this time pushing malicious Telnyx package versions to PyPI in an effort to plant credential-stealing malware on ...

TeamPCP strikes again, with almost identical code to LiteLLM.

PyPI对可能从AI应用和开发者管道中窃取凭证的行为发出警告。此前，广泛使用的大语言模型Python中间件LiteLLM的两个恶意版本曾短暂发布。

3 月 24 日，Python 生态遭遇重磅袭击：热门 AI 工具库 LiteLLM 在官方 PyPI 渠道被投毒，成为 TeamPCP 黑客组织新一轮供应链攻击的目标，波及全球海量开发者与企业服务。 LiteLLM 用于统一调度各类大模型 API，月下载量超 9500 万，是 AI 开发的基础设施。攻击者通过泄露的发布凭证绕过代码审核，直接向 PyPI 推送恶意安装包，GitHub 源码无异常， ...

如果你最近在用OpenClaw跑Agent、装Skill，或者即便只是正常装了几个常见依赖，那你可得好好注意了！ 今日，资深开发者Daniel Hnyk在社交平台X上紧急发文警告称：LiteLLM的PyPI官方发布版本1.82.8已被注入恶意代码，并着重强调“DONOTUPDATE”（请勿更新）。

最新上传的LiteLLM Python 版本1.82.7和1.82.8，已被人为恶意植入信息窃取程序。 一旦安装，SSH密钥、AWS凭证和API密钥等数据均会立即泄漏。 目前LiteLLM的维护者Krrish Dholakia，已经公开证实此事。 在恶意版本存在三小时后，PyPI迅速发现了这一漏洞，并将软件包隔离。