More

andymcsherry · 2026-05-01T16:48:03 1777654083

Andy from Lightning here. Yeah, the PyPi credentials were stolen through the compromised pl-ghost bot account. The attacker used this account to create a new actions workflow, which was ran and parsed out secrets for PyPi. After releasing the package, the attacker then used that account to troll us a bit with those comments.

andymcsherry · 2026-04-30T22:24:32 1777587872

Andy from Lightning here. The malicious file that gets installed has this signature:

  router_runtime.js

  SHA256 5f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1
  SHA1 f1b3e7b3eec3294c4d6b5f87854a52471f03997f
  MD5 40d0f21b64ec8fb3a7a1959897252e09

lysace · 2026-04-30T22:43:15 1777588995

Thanks!

andymcsherry · 2026-04-30T22:22:35 1777587755

Andy from Lightning here. The malicious packages were published today at 12:45 PM UTC to PyPi. Before that, there were no affected distributions, and we were unaware of any leak. The original release on Github did not contain the issue, but we have taken it down to prevent any confusion.

andymcsherry · 2026-04-30T18:30:26 1777573826

Andy from Lightning here. The malicious code was not submitted to the main repo at Github. It appears our PyPi credentials were leaked and compromised packages were published directly there for versions 2.6.2 and 2.6.3

lostmsu · 2026-04-30T19:55:45 1777578945

I vaguely remember PyPi requiring 2FA about a year and a half ago at least for logins.

If they haven't started yet, they should require 2nd factor for publishing as well.

andymcsherry · 2026-04-30T18:23:42 1777573422

Andy from Lightning here. Thanks for pointing that out, we are updating the CVE. Only the versions from PyPi were affected. The malicious code was not checked into the GitHub repository

andymcsherry · 2025-06-12T03:20:49 1749698449

Here's an open-source serving implementation: https://lightning.ai/bhimrajyadav/studios/build-a-production...

Also, a deployable model: https://lightning.ai/bhimrajyadav/ai-hub/temp_01jwr0adpqf055...

ipsum2 · 2025-06-12T05:05:41 1749704741

You failed to mention that this is an ad for the company you work at. Also, the links don't even work without signing up for some shitty service.

andymcsherry · 2025-06-12T14:42:48 1749739368

Hey ipsum, sorry I could have mentioned that. We spend a ton of effort on open source and sharing our ML knowledge with the community. If you don't want to use our platform, the entire source code and a tutorial is there to run it on your own.

andymcsherry · on April 15, 2025

Australia has a slowish rail network because it is sparsely populated. It is an extreme version of America, the distances between population centers are quite large and there's not much in-between. There's also not much reason for anyone from Sydney to visit Canberra, and if you do, you certainly need a car to get around.

pyfon · on April 15, 2025

Sydney to Canberra centre for government adjacent business you probably don't need a car. The train is near parliament and probably near your office and hotel. Maybe a taxi to get to the city centre which is 5 min away.

andymcsherry · on Feb 1, 2025

That’s the software platform used to deploy it

andymcsherry · on Aug 22, 2024

LitServe is a flexible serving engine for AI models built on FastAPI. Features like batching, streaming, and GPU autoscaling eliminate the need to rebuild a FastAPI server per model.

The examples featured on the litserve page include a range of applications such as large language models (LLMs), natural language processing (NLP), multimodal tasks, audio processing, vision models, speech synthesis, classical machine learning (ML) algorithms, and a media conversion API, demonstrating the versatility of litserve in deploying various machine learning models and services.

andymcsherry · on Aug 2, 2024

I get the sentiment, but one of their models, albeit the worst one, is licensed under Apache without usage restrictions. The source to run the models is also open source.