Tesla’s former VP Andrej Karpathy shares AI coding ‘horror’, ‘Python supply chain attack’ that could have wiped millions of SSL private keys, database passwords, more; and Elon Musk ‘agrees’, says … – The Times of India
Andrej Karpathy, the former Tesla AI director and OpenAI cofounder, is calling a recent Python package attack “software horror”—and the details are genuinely alarming. A compromised version of LiteLLM, one of the most downloaded AI libraries on PyPI with 97 million monthly downloads, briefly turned a routine pip install into a credential theft operation capable of exfiltrating SSH keys, AWS and Google Cloud credentials, Kubernetes configs, crypto wallets, SSL private keys, CI/CD secrets, and full shell histories.The malicious versions—1.82.7 and 1.82.8—were uploaded directly to PyPI on March 24, bypassing LiteLLM’s official GitHub release pipeline. The attack was traced to TeamPCP, a threat actor on a multi-week campaign through developer and security tooling. They had already compromised Aqua Security’s Trivy scanner days earlier, which gave them access to LiteLLM maintainer BerriAI’s PyPI publish token.
How a bug in the malware actually saved thousands of developers
The poisoned package was live for roughly two hours before PyPI quarantined it—and the only reason it got caught that fast was a mistake in the attacker’s own code. Developer Callum McMahon was installing a Cursor MCP plugin that pulled LiteLLM as a transitive dependency. Version 1.82.8 caused his machine to run out of RAM and crash. That crash set off the alarm. “If the attacker didn’t vibe code this attack,” Karpathy wrote on X, “it could have been undetected for many days or weeks.“
Karpathy says the incident is a reason to rethink how developers use dependencies
Karpathy used the incident to revisit a long-standing concern: that the software industry’s reliance on dependency trees creates enormous, largely invisible attack surfaces. Every package in a project’s chain is a potential entry point. His suggestion—increasingly his default—is to use LLMs to extract or replicate simple functionality instead of importing entire libraries. Maintainers at BerriAI have since engaged Mandiant for investigation and advised immediate credential rotation across the board. Docker images, which pin dependencies, were confirmed unaffected.