Hacker News new | ask | show | jobs
by deep_noz 91 days ago
good i was too lazy to bump versions
1 comments
jadamson 91 days ago
In case you missed it, according to the OP, the previous point release (1.82.7) is also compromised.
link
dot_treo 91 days ago
Yeah, that release has the base64 blob, but it didn't contain the pth file that auto triggers the malware on import.
link
jadamson 91 days ago
The latest version with the the pth file doesn't require an import to trigger the exploit (just having the package installed is enough thanks to [1]).

The previous version triggers on `import litellm.proxy`

Again, all according to the issue OP.

[1] https://docs.python.org/3/library/site.html

link