Post #6411

❗️Andrej Karpathy just explained the scariest thing happening in software right now.. Someone poisoned a Python package that gets 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine. SSH keys, AWS credentials, crypto wallets, database passwords, git credentials, shell history, SSL private keys, everything. And here's the part that should terrify every developer alive.. The attack was only discovered because the attacker wrote sloppy code, the malware used so much RAM that it crashed someone's computer.. if the attacker had been better at coding. Nobody would have noticed for weeks. One developer, using Cursor with an MCP plugin, had litellm pulled in as a dependency they didn't even know about, their machine crashed and that crash saved thousands of companies from getting their entire infrastructure stolen. Karpathy's take is the real wake up call, every time you install any package you're trusting every single dependency in its tree, and any one of them could be poisoned. Vibe coding saved it this time. The attacker vibe coded the attack and it was too sloppy to work quietly. Next time they won't make that mistake. @aipost🏴