In hindsight: a bad choice of a hero message

If you haven't heard, two versions of LiteLLM got hacked yesterday (1.82.7 and 1.82.8) That means tons of AI agent projects got compromised if they installed during those 3 hours Live on PyPI for 3 hours. Downloaded 3.4M times per day. Stole SSH keys, credentials, secrets, API keys and crypto wallet seed phrases. How it happened: Attackers compromised Trivy (a security scanner) first. When LiteLLM's CI ran Trivy, it leaked their PyPI token. Worst part: v1.82.8 used a.pth file. The malicious code ran every time Python started. Even when you just ran pip.