Mercor says it was hit by cyberattack tied to compromise LiteLLM

 (techcrunch.com)

48 points | by jackson-mcd 1 day ago

6 comments

  • nope1000 2 hours ago
    > The incident also prompted LiteLLM to make changes to its compliance processes, including shifting from controversial startup Delve to Vanta for compliance certifications.

    This is pretty funny.

    The leaked excel sheet with customers of Delve is basically a shortlist of targets for hackers to try now. Not that they necessarily have bad security, but you can play the odds

    [-]
    • _pdp_ 22 minutes ago
      I am not defending Delve or anything and I hope they get what they deserver but there is no correlation between SOC2 certification and the actual cyber capability of a company. SOC2 and ISO27001 is just compliance and frankly most of it is BS.
  • aservus 2 hours ago
    This is a good reminder that any tool handling sensitive data — even internal ones — needs to be transparent about where data goes. The assumption that SaaS tools protect your data is getting harder to defend.
    [-]
    • lukewarm707 1 hour ago
      I use llms to read the privacy policies that are too long to read. They guarantee almost nothing, unless you go out of your way to get an sla
  • tazsat0512 1 hour ago
    [dead]
  • devcraft_ai 2 hours ago
    [dead]
  • techpulselab 2 hours ago
    [dead]
  • ashishb 3 hours ago
    [flagged]
    [-]
    • lmc 2 hours ago
      Docker is not a strong security boundary and shouldn't be used to sandbox like this

      https://cloud.google.com/blog/products/gcp/exploring-contain...

      [-]
      • EE84M3i 1 hour ago
        Confusingly, Docker now has a product called "Docker Sandboxes" [1] which claims to use "microVMs" for sandboxing (separate VM per "agent"), so it's unclear to me if those rely on the same trust boundaries that traditional docker containers do (namespaces, seccomp, capabilities, etc), or if they expect the VM to be the trust boundary.

        [1]: https://www.docker.com/products/docker-sandboxes/

      • ashishb 2 hours ago
        Compared to what? Which one is superior?

        Running npm on your dev machine? Or running npm inside Docker?

        I would always prefer the latter but would love to know what your approach to security is that's better than running npm inside Docker.

        [-]
        • lmc 2 hours ago
          Read this: https://kayssel.substack.com/p/docker-escape-breaking-out-of...
          [-]
          • ashishb 1 hour ago
            So the worst case is that you are back to running npm on your host. Right?
        • lmc 2 hours ago
          By all means, run your npm in docker, but please stop telling others it's a secure way to do so.
          [-]
          • ashishb 1 hour ago
            I only said it is a defense-in-depth measure.

            I definitely want to know how is it worse than running npm directly on the host

            [-]
            • habinero 52 minutes ago
              Those aren't the only options, my dude.
              [-]
              • ashishb 46 minutes ago
                And what are good options that you use and that work on Linux as well as Mac OS?
    • notachatbot123 3 hours ago
      [flagged]
      [-]
      • ashishb 2 hours ago
        What makes you think that?

        Your cab see the commit history ~10% of code is written by agents.

        Rest was all written by me.

        Unlike other criticisms of the project, this one feels personal as it is objectively incorrect.

        [-]
        • bengale 2 hours ago
          All these commenters just yell AI about every post and comment on here now. They have a worse hit rate than a blind marksman.