软件恐怖:litellm PyPI供应链攻击。简单的`pip install litellm`就足以窃取SSH密钥、AWS/GCP/Azure凭证、Kubernetes配置...
LiteLLM的PyPI包1.82.8版本被恶意篡改,安装后会窃取SSH密钥、云服务凭证、API密钥等敏感数据并发送到远程服务器。该恶意版本仅存在约1小时,但由于litellm月下载量达9700万次且被众多项目依赖,影响范围极广。
相关报道
A series of supply chain attacks has affected npm and PyPI repositories within two weeks. The use of large language models is exacerbating these security issues, and existing mitigation measures are insufficient to address the problem.
A new phishing-as-a-service called Starkiller uses disguised links to load real login pages from target brands. It acts as a relay between victims and legitimate sites, forwarding usernames, passwords, and MFA codes to bypass security measures.
A security researcher discovered a vulnerability that allowed obtaining full administrator rights in a Replit clone. The vulnerability stemmed from running untrusted code in an insecure manner. This highlights the importance of proper security practices when executing external code.
A social media trick shows that blocking the "claude" user on GitHub reveals projects using Claude Code. The CPython repository, one of the world's most popular open-source projects, now displays contributions from this AI coding agent.
An investigation uncovered a large network of fake support groups on Telegram that spread cryptocurrency stealers and drainers. The network was found to be actively promoting malicious tools designed to drain crypto wallets.