Comment by Imustaskforhelp
2 days ago
They have written about it on github to my question:
Trivvy hacked (https://www.aquasec.com/blog/trivy-supply-chain-attack-what-...) -> all circleci credentials leaked -> included pypi publish token + github pat -> | WE DISCOVER ISSUE | -> pypi token deleted, github pat deleted + account removed from org access, trivvy pinned to last known safe version (v0.69.3)
What we're doing now:
Block all releases, until we have completed our scans
Working with Google's mandiant.security team to understand scope of impact
Reviewing / rotating any leaked credentials
https://github.com/BerriAI/litellm/issues/24518#issuecomment...
69.3 isnt safe. The safe thing to do is remove all trivy access. or failing that version. 0.35 is the last and AFAIK only safe version.
https://socket.dev/blog/trivy-under-attack-again-github-acti...
I have sent your message to the developer on github and they have changed the version to 0.35.0 ,so thanks.
https://github.com/BerriAI/litellm/issues/24518#issuecomment...
Does that explain how circleci was publishing commits and closing issues?