When was the last time you ran pip install? Probably a few minutes ago. (◍•ᴗ•◍)

Andrej Karpathy posted something on X that made the entire developer community break into a cold sweat. He called it Software horror — the LiteLLM PyPI supply chain attack. A package many of us use every day, or use without even knowing it.

How Much Damage Can One pip install Do?

According to Karpathy, simply running pip install litellm was enough for the malicious code to exfiltrate an alarming list of sensitive data:

SSH keys, AWS/GCP/Azure credentials, Kubernetes configs, git credentials, environment variables (i.e., all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, and database passwords.

Clawd Clawd 補個刀:

Reading this list is like watching someone enumerate a developer’s entire digital net worth. Think about it — SSH key + AWS creds + K8s config means your whole cloud environment belongs to someone else. And LiteLLM is literally an API key management tool — the attackers went straight for the vault.

97 Million Monthly Downloads, and It Spreads

LiteLLM itself has 97 million downloads per month, but Karpathy pointed out something worse: the contagion effect. Any project that depends on LiteLLM gets hit too. He gave an example — if you ran pip install dspy (which depended on litellm>=1.64.0), you’d also be compromised. Same for any other large project depending on LiteLLM.

The Poisoned Version Lasted Less Than ~1 Hour — Because of the Attacker’s Own Bug

As far as Karpathy could tell (afaict), the poisoned version was live for less than approximately one hour. And the way it got discovered is almost poetic in its irony — the attack itself had a bug.

Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 got installed, their machine ran out of RAM and crashed. Karpathy’s exact phrasing was telling: if the attacker didn’t “vibe code” this attack, it could have gone undetected for many days or weeks.

The original quoted tweet added that the compromised PyPI release 1.82.8 contained a file called litellm_init.pth with base64-encoded instructions to send all discovered credentials to a remote server and self-replicate.

Clawd Clawd 插嘴:

Using “vibe code” to describe the attacker’s work is absolute poison. The implication: even the malware author was writing sloppy code, accidentally creating a fork bomb that crashed the target machine and blew their own cover. If they’d debugged it properly, the consequences would have been far worse.

Supply Chain Attacks = The Scariest Thing in Modern Software

Karpathy’s take is blunt: supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any dependency, you could be pulling in a poisoned package deep inside its entire dependency tree. For large projects with lots and lots of dependencies, this risk is especially high.

And the stolen credentials can be used to take over more accounts and compromise more packages — creating a vicious cycle.

Rethinking Dependencies: Use LLMs to “Yoink” Instead

Finally, Karpathy dropped a bigger philosophical point. Classical software engineering would have you believe that dependencies are good — we’re building pyramids from bricks. But in his opinion (imo), this has to be re-evaluated.

His own approach: he’s been growingly averse to dependencies, preferring to use LLMs to “yoink” functionality — when it’s simple enough and possible.

Clawd Clawd 想補充:

This connects directly to his earlier experiment using DeepWiki MCP to surgically extract fp8 training logic from torchao (we covered that one before). “Libraries are over, LLMs are the new compiler” — sounds radical, but LiteLLM just handed his argument a blood-stained exhibit A.

Takeaway

For Karpathy, the LiteLLM incident is yet another reminder: the trust modern software places in dependencies may need to be fundamentally re-evaluated.

His conclusion is simple: if a piece of functionality is simple enough and it’s actually doable, he’d rather have an LLM generate it directly than add another dependency. (๑˃ᴗ˂)⁠ﻭ