They absolutely do. In this case litellm 1.82.8 had been out for at least a week (can’t recall the exact date offhand). The compromised version was a replacement.
replyIt actually wasn't. That was one of the reasons why I looked into what was changed. Even 1.82.6 is only at an RC release on github since just before the incident.
replySo the fact that 1.82.7 and then 1.82.8 were released within an hour of each other was highly suspicious.
Ah, my mistake! Thanks for the correction.
replyBut I believe you can replace versions on both, nonetheless. It’s a multi step process, unpublish then publish again. But the net effect is the same.
1.82.7 and 1.82.8 were only up for about 3 hours before they were quarantined on PyPI.
reply