PyPI supply chain attack via litellm and the dependency risk problem in ML engineering
The litellm supply chain attack this week should be a wake-up call for every ML engineer. One poisoned PyPI release. Less than an hour live. And it had the potential to exfiltrate SSH keys, AWS credentials, Kubernetes configs, API keys, crypto wallets, and shell history from every machine that ran pip install litellm or anything…