supply-chain
2 articles
Karpathy's Software Horror: One pip install Away From Losing All Your Keys
LiteLLM hit by supply chain attack — pip install was enough to steal all credentials. Karpathy warns about dependency tree risks and advocates using LLMs to yoink functionality instead of adding more deps.
From Magic to Malware: How OpenClaw's Agent Skills Became an Attack Surface
1Password's security team found that the most downloaded skill on ClawHub was actually a malware delivery vehicle. Worse: it wasn't an isolated case — hundreds of skills were part of the same campaign. When markdown becomes an installer, skill registries become supply chain attack surfaces.