x.com/karpathy/status/2036487306585268612
1 correction found
Afaict the poisoned version was up for only less than ~1 hour.
The compromised LiteLLM packages were available for much longer than an hour. FutureSearch says v1.82.8 was published at 10:52 UTC on March 24, 2026 and the compromised versions were not yanked until an update posted at 20:15 UTC the same day.
Full reasoning
FutureSearch's incident writeup gives a concrete timeline for the compromised releases:
- 10:52 UTC on March 24, 2026:
litellm1.82.8 was published to PyPI. - 12:30 UTC on March 24, 2026: FutureSearch updated the post to say 1.82.7 was also compromised.
- 20:15 UTC on March 24, 2026: FutureSearch updated the post again to say the compromised versions had been yanked.
That means the malicious package(s) were available for many hours, not "less than ~1 hour." Even considering only version 1.82.8, the interval from 10:52 UTC to 20:15 UTC is about 9 hours 23 minutes.
There is also evidence that more than one version was compromised. LiteLLM's own GitHub tracking issue says both v1.82.7 and v1.82.8 were compromised, so describing this as a single poisoned version is incomplete.
2 sources
- Supply Chain Attack in litellm 1.82.8 on PyPI
Update (12:30 UTC): version 1.82.7 is also compromised, in addition to 1.82.8 ... Update (20:15 UTC): The compromised versions have been yanked ... At 10:52 UTC on March 24, 2026, litellm version 1.82.8 was published to PyPI.
- [Security]: litellm PyPI package (v1.82.7 + v1.82.8) compromised — full timeline and status
Compromised packages have been deleted (v1.82.7, v1.82.8) ... GitHub releases only go up to v1.82.6.dev1 — versions 1.82.7 and 1.82.8 on PyPI were uploaded directly by the attacker.