Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

The x402 vs. MPP debate isn't about tech, it's about who gets to launch Cloudflare's NET Dollar. A stablecoin for bot payments, whoever issues NET (Coinbase or Stripe) likely gets their standard prioritized across a FIFTH of the internet. Cloudflare has been positioning itself at the center of agentic payments for the past year plus. They see the problem firsthand: bots are overwhelming the web, driving up costs and overloading servers. Wikipedia's traffic grew 50% from scraping. 71% of top publishers now block retrieval bots entirely. So, Cloudflare built walls (bot blocking tools) and also windows (pay-per-crawl, so sites can charge bots instead of blocking them). And who they choose to issue NET could determine which payment standard wins. The evidence that Stripe may have the edge: > Cloudflare CO-FOUNDED the x402 Foundation with Coinbase, but STILL hasn't named an issuer (even though CB issues stablecoins) > Per The Information, Coinbase is just ONE of several companies competing for the deal alongside ZeroHash > Cloudflare integrated MPP immediately > Pay-per-crawl already uses Stripe. ZeroHash works closely with Stripe David Christopher mapped out the full competitive picture.

everyone saying crypto twitter is dead no one saying where the next crypto twitter is there is no other large public forum where you can talk crypto reddit will ban you, bluesky will ostracize you, farcaster doesn't want to promote conversations CT is all we have

Crypto gaming is back in the limelight once again, its latest dead-for-good diagnosis stirring up plenty of debate ... once again. On that diagnosis, which some people took as a write-off of Solana

Starting Thursday, we'll be updating our revenue sharing incentives to better reward the content we want on X: We will be giving more weight to impressions from your home region—to encourage content that resonates with people in your country, in neighboring countries and people who speak your language. While we appreciate everyone's opinion on American politics, we hope this will disincentivize gaming the attention of US or Japanese accounts and instead, drive diverse conversations on the platform. We invite creators to start building an audience locally. X will be a much richer community when there's relevant posts for people in all parts of the world.

> they are hard core open source 99% of the miladys i have seen have never shipped a real open source project in their life. we dont need this LARP culture for cypherpunk values

Crypto Winter reflections I've been in crypto since 2013, so quite a few years by now. I co-founded @Zcash, then moved on and co-founded @StarkWareLtd. In short, I've been here for a while. By now I've passed quite a few winters, so many, that I've stopped counting. I do notice that different winters have different flavor to them and I remember the last crypto winter. The one word I associate the most with the last crypto winter is SCAMs. Between the crash of Luna, 3Arrows Capital, and the cherry on the top – FTX, that winter was brought about by over-wild speculation and unethical conduct. In contrast, the current crypto winter feels very different to me. The phrase I use is TradFi Bear Hug. By this I mean that with the election of Trump and the warm embrace of regulators and large TradFi players of crypto, it seemed for a while that crypto found its destination: to become the new money, new financial rails, new infrastructure for doing all the stuff that Wall Street has been doing so far. But what actually happened is that this Bear Hug crowded out the true spirit of crypto, which is about Freedom of Economic Enterprise. This type of freedom means doing all sorts of wild, fun, crazy, new things that in TradFi world are reserved to the Fat Cats, and some of which are not even dared to be done by them. So, we find ourselves in a weird winter, marked by the smothering of the spirit of freedom by the big bear hug of TradFi. At the same time, there's a vacuum and lack of leadership. But change is on the way, I can smell it. It's Freedom.