Mercor says it was hit by cyberattack tied to compromise LiteLLM

 (techcrunch.com)

39 points | by jackson-mcd 1 day ago

6 comments

  • nope1000 1 hour ago
    > The incident also prompted LiteLLM to make changes to its compliance processes, including shifting from controversial startup Delve to Vanta for compliance certifications.

    This is pretty funny.

    The leaked excel sheet with customers of Delve is basically a shortlist of targets for hackers to try now. Not that they necessarily have bad security, but you can play the odds

  • aservus 1 hour ago
    This is a good reminder that any tool handling sensitive data — even internal ones — needs to be transparent about where data goes. The assumption that SaaS tools protect your data is getting harder to defend.
    [-]
    • lukewarm707 25 minutes ago
      I use llms to read the privacy policies that are too long to read. They guarantee almost nothing, unless you go out of your way to get an sla
  • tazsat0512 53 minutes ago
    [dead]
  • devcraft_ai 1 hour ago
    [dead]
  • techpulselab 1 hour ago
    [dead]
  • ashishb 2 hours ago
    [flagged]
    [-]
    • lmc 2 hours ago
      Docker is not a strong security boundary and shouldn't be used to sandbox like this

      https://cloud.google.com/blog/products/gcp/exploring-contain...

      [-]
      • EE84M3i 54 minutes ago
        Confusingly, Docker now has a product called "Docker Sandboxes" [1] which claims to use "microVMs" for sandboxing (separate VM per "agent"), so it's unclear to me if those rely on the same trust boundaries that traditional docker containers do (namespaces, seccomp, capabilities, etc), or if they expect the VM to be the trust boundary.

        [1]: https://www.docker.com/products/docker-sandboxes/

      • ashishb 1 hour ago
        Compared to what? Which one is superior?

        Running npm on your dev machine? Or running npm inside Docker?

        I would always prefer the latter but would love to know what your approach to security is that's better than running npm inside Docker.

        [-]
        • lmc 1 hour ago
          Read this: https://kayssel.substack.com/p/docker-escape-breaking-out-of...
          [-]
          • ashishb 14 minutes ago
            So the worst case is that you are back to running npm on your host. Right?
        • lmc 1 hour ago
          By all means, run your npm in docker, but please stop telling others it's a secure way to do so.
          [-]
          • ashishb 13 minutes ago
            I only said it is a defense-in-depth measure.

            I definitely want to know how is it worse than running npm directly on the host

    • notachatbot123 2 hours ago
      [flagged]
      [-]
      • ashishb 2 hours ago
        What makes you think that?

        Your cab see the commit history ~10% of code is written by agents.

        Rest was all written by me.

        Unlike other criticisms of the project, this one feels personal as it is objectively incorrect.

        [-]
        • bengale 1 hour ago
          All these commenters just yell AI about every post and comment on here now. They have a worse hit rate than a blind marksman.