https://yuanchang.org/en/tags/karpathy/ Recent content in Karpathy on Yuanchang's Blog Hugo -- gohugo.io en-us Wed, 25 Mar 2026 16:00:00 +0100 https://yuanchang.org/en/posts/pip-install-new-attack-surface-litellm/ Wed, 25 Mar 2026 16:00:00 +0100 https://yuanchang.org/en/posts/pip-install-new-attack-surface-litellm/ On March 24, 2026, LiteLLM — a Python package with 97 million monthly downloads — was backdoored on PyPI. A single pip install was enough to exfiltrate SSH keys, cloud credentials, and every API key on the machine. 500,000 machines were compromised, 300GB of credentials stolen. This post reconstructs the incident, provides a self-check prompt you can hand to your AI agent, and analyzes three lessons AI founders should take seriously.