Hacker News

Mercor says it was hit by cyberattack tied to compromise LiteLLM

45 points by jackson-mcd 2 days ago | 15 comments

nope1000 3 hours ago

> The incident also prompted LiteLLM to make changes to its compliance processes, including shifting from controversial startup Delve to Vanta for compliance certifications.

This is pretty funny.

The leaked excel sheet with customers of Delve is basically a shortlist of targets for hackers to try now. Not that they necessarily have bad security, but you can play the odds

_pdp_ 6 minutes ago

I am not defending Delve or anything and I hope they get what they deserver but there is no correlation between SOC2 certification and the actual cyber capability of a company. SOC2 and ISO27001 is just compliance and frankly most of it is BS.

aservus 3 hours ago

This is a good reminder that any tool handling sensitive data — even internal ones — needs to be transparent about where data goes. The assumption that SaaS tools protect your data is getting harder to defend.

lukewarm707 2 hours ago

I use llms to read the privacy policies that are too long to read. They guarantee almost nothing, unless you go out of your way to get an sla

tazsat0512 2 hours ago

[dead]

devcraft_ai 3 hours ago

[dead]

techpulselab 3 hours ago

[dead]

ashishb 4 hours ago

[flagged]

lmc 3 hours ago

Docker is not a strong security boundary and shouldn't be used to sandbox like this

https://cloud.google.com/blog/products/gcp/exploring-contain...

EE84M3i 2 hours ago

Confusingly, Docker now has a product called "Docker Sandboxes" [1] which claims to use "microVMs" for sandboxing (separate VM per "agent"), so it's unclear to me if those rely on the same trust boundaries that traditional docker containers do (namespaces, seccomp, capabilities, etc), or if they expect the VM to be the trust boundary.

[1]: https://www.docker.com/products/docker-sandboxes/

ashishb 3 hours ago

Compared to what? Which one is superior?

Running npm on your dev machine? Or running npm inside Docker?

I would always prefer the latter but would love to know what your approach to security is that's better than running npm inside Docker.

lmc 2 hours ago

Read this: https://kayssel.substack.com/p/docker-escape-breaking-out-of...

ashishb 50 minutes ago

So the worst case is that you are back to running npm on your host. Right?

lmc 2 hours ago

By all means, run your npm in docker, but please stop telling others it's a secure way to do so.

ashishb 49 minutes ago

I only said it is a defense-in-depth measure.

I definitely want to know how is it worse than running npm directly on the host

habinero 36 minutes ago

Those aren't the only options, my dude.

ashishb 30 minutes ago

And what are good options that you use and that work on Linux as well as Mac OS?

notachatbot123 3 hours ago

[flagged]

ashishb 3 hours ago

What makes you think that?

Your cab see the commit history ~10% of code is written by agents.

Rest was all written by me.

Unlike other criticisms of the project, this one feels personal as it is objectively incorrect.

bengale 3 hours ago

All these commenters just yell AI about every post and comment on here now. They have a worse hit rate than a blind marksman.