Mentions (30d)
0
Reviews
0
Platforms
2
GitHub Stars
25,024
5,508 forks
Features
Industry
information technology & services
Employees
37
1,100
GitHub followers
18
GitHub repos
25,024
GitHub stars
20
npm packages
40
HuggingFace models
[D] Litellm supply chain attack and what it means for api key management
If you missed it, litellm versions 1.82.7 and 1.82.8 on pypi got compromised. malicious .pth file that runs on every python process start, no import needed. it scrapes ssh keys, aws/gcp creds, k8s secrets, crypto wallets, env vars (aka all your api keys). karpathy posted about it. the attacker got in through trivy (a vuln scanner ironically) and stole litellm's publish token. 2000+ packages depend on litellm downstream including dspy and mlflow. the only reason anyone caught it was because the malicious code had a fork bomb bug that crashed machines. This made me rethink how i manage model api keys. having keys for openai, anthropic, google, deepseek all sitting in .env files across projects is a massive attack surface. switched to running everything through zenmux a while back so theres only one api key to rotate if something goes wrong. not a perfect solution but at least i dont have 6 different provider keys scattered everywhere. Run pip show litellm right now. if youre on anything above 1.82.6 treat it as full compromise. submitted by /u/Zestyclose_Ring1123 [link] [comments]
View originalRepository Audit Available
Deep analysis of mlflow/mlflow — architecture, costs, security, dependencies & more
MLflow uses a subscription + tiered pricing model. Visit their website for current pricing details.
Key features include: LLMs & Agents, Model Training, Observability, Evaluation, Prompts & Optimization, AI Gateway, Agent Server, Open Source.
MLflow has a public GitHub repository with 25,024 stars.
