A compromised version of the popular AI library LiteLLM, with 97 million monthly downloads, briefly turned pip installs into a credential theft operation. The malicious package, live for two hours, was only detected due to a bug causing a system crash. This incident highlights the risks of extensive dependency chains in software development.
Tags:
