Writing

LiteLLM got compromised today. Versions 1.82.7 and 1.82.8 on PyPI - the library gets something like 95 million downloads a month - had base64-encoded malicious code baked in. When it ran, it grabbed every credential it could find on your machine: SSH keys, cloud tokens, database passwords, crypto wallets, all of it. Encrypted everything, shipped it to a remote server, and then self-replicated across your Kubernetes cluster. Like a virus.

The attackers (a group called TeamPCP) got in by first compromising a vulnerability scanner in LiteLLM’s CI/CD pipeline, which gave them the PyPI publishing credentials. Classic chain attack.

PyPI quarantined the whole package. The LiteLLM team has taken control back. Last clean version is 1.82.6.

But it’s not really over. Every machine that installed those versions during that window already had its credentials stolen. Containers deployed in that window are probably still running the infected code right now - the malware installs itself as a background service and keeps polling for new payloads. If you touched LiteLLM recently: uninstall, purge your caches, and rotate every credential on the machine.

This isn’t isolated. A few weeks ago, researchers found that a malicious repo could hijack Claude Code the moment you opened it - arbitrary code execution before any permission dialog even appeared. Around the same time, someone was using an AI agent to systematically attack CI/CD pipelines across Microsoft, DataDog, and CNCF projects, and got into 5 out of 7 targets. Typosquatting packages mimicking Claude Code showed up on npm too.

The AI toolchain is becoming a massive attack surface. These tools move fast enough that security review can’t keep up, and one compromised library can reach every secret in your cloud. It’s incredibly scary how easily this can happen.

Spent the day at Socratica Symposium, a student-run event in Waterloo, with other members from the Builders Club.

Participants came from across North America, not just the University of Waterloo. Some of the demos that stuck:

• Someone hacked the internal macOS APIs for the trackpad, screen hinge, and mic input to turn a MacBook into a playable musical instrument.
• An open source omnidirectional treadmill built for gaming. Apparently it’s cheap enough to build yourself.
• A distributed systems clock synchronization algorithm that let 2,000 phones synchronize into a light swarm responsive to live music. The whole room lit up.
• A homemade TPU, built from scratch, that could train small deep learning models and run inference. The builders even landed in a conversation with the founder of Groq.

There were more projects on the arts side too, but these were the ones that stuck.

If progress in LLM capabilities stopped completely right now, there’s still so much progress to be made with what already exists. B2C, B2B - the technology is already good enough to change how most of the world works. It’s not the models that are the bottleneck; it’s adoption.

Outside the tech bubble, even tech-adjacent people only know LLMs as chatbots. That’s it. The interface layer - how these systems actually reach people and fit into their workflows - is where the real work is. And almost none of it has been done yet.

The teams that nail the interface will capture the value, not the teams building the next model. Finding product-market fit is still hard work, especially when the disruption is this fundamental to how people interact with software. But the value waiting to be unlocked is enormous.

We’re still early. Very early.

As tokens get cheaper, it’s going to become easier and easier to scour government paperwork at scale. This used to be the domain of journalists - the only people with the time and resources to read through thousands of pages of public records. Now anyone with access to a decent LLM can do it.

One of the major defenses for government institutions has always been sheer volume. Bury things in paperwork so large that no one could realistically get through it all. But that defense is eroding fast.

Which means the next move is predictable: less transparency, not more. Fewer documents released, more redactions, slower responses to access requests. If you can’t hide behind volume anymore, you hide behind access.

That’s the scary part. Tightening the feedback loop between the public and government feels more important than ever.

Judged the Voice AI Hackathon yesterday, hosted by Ian Timotheos-Pilon and Ti Guo at Builders Club.

I’ve been in the ML/AI space for a while now, and I was still caught off guard by how far vibe coding has progressed. Some teams shipped things in a weekend that I know from experience would’ve been serious engineering efforts not long ago.

Ian said something during the event that stuck with me - “I’m not even sure the code matters as much anymore.” Watching teams ship polished products in under 2 days, it was hard to disagree. The marginal cost of producing good software has dropped fast. If shipping keeps getting easier, what actually differentiates? I keep coming back to the same things: user experience, reliability, and knowing which problem to solve in the first place.

One of the fellow judges and I were talking about how most hackathon projects never see the light of day again. That’s just the reality of it - and we genuinely hope some of these break through.

On the judging side, we ran an experiment. Built a system that reads codebases, watches demo videos with native audio understanding (Gemini Pro, not transcripts), and scores submissions against the rubric with written justifications before they reach the human judges. We ordered the output schema so the model has to write its reasoning before committing to a score - chain-of-thought enforced through schema design.

Integrity checks for prompt injection, demo-code mismatches, and whether something smells like it was built on top of someone else’s work rather than from scratch - all baked into the same structured output. Freed us up to focus on the shortlist instead of reviewing every submission manually. Demo here if you’re interested.

Sparked a lot of good conversations about the future of building. Some projects I really hope don’t stop here.