编辑｜冷猫这是一件极其严肃的软件安全事件。今天，Karpathy 发长推文警告全部开发者注意，GitHub 超过 4 万星，月下载量达 9700 万次的 Python 库 LiteLLM 在 PyPI 上被投毒。首先提请各位开发者检查自己的 LiteLLM 版本 ，含有恶意代码的版本号为 1.82.7 和 ...

最新上传的LiteLLM Python 版本1.82.7和1.82.8，已被人为恶意植入信息窃取程序。 一旦安装，SSH密钥、AWS凭证和API密钥等数据均会立即泄漏。 目前LiteLLM的维护者Krrish Dholakia，已经公开证实此事。 在恶意版本存在三小时后，PyPI迅速发现了这一漏洞，并将软件包隔离。但LiteLLM每天下载量约为340万次，许多自动安装新版本的程序员已经遭殃。 社区 ...

PyPI对可能从AI应用和开发者管道中窃取凭证的行为发出警告。此前，广泛使用的大语言模型Python中间件LiteLLM的两个恶意版本曾短暂发布。

The cybercrime crew linked to the Trivy supply-chain attack has struck again, this time pushing malicious Telnyx package ...

Malicious telnyx 4.87.1/4.87.2 on PyPI used audio steganography March 27, 2026, enabling cross-platform credential theft.

In a new twist on software supply chain attacks, researchers have discovered a Python package hiding malware inside of compiled code, allowing it to evade ordinary detection measures. On April 17, ...

Two malicious versions of two Python packages were introduced in the Python Package Index (PyPI) with the purpose of stealing SSH and GPG keys from Python developers' projects. One of them, using ...

The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. Accessible at pypi.org, PyPI is the default ...

The scanners tasked with weeding out malicious contributions to packages distributed via the popular open source code repository Python Package Index (PyPI) create a significant number of false alerts ...