Mercor says it was hit by cyberattack tied to compromise LiteLLM

4/2/2026 at 8:11:02 AM

> The incident also prompted LiteLLM to make changes to its compliance processes, including shifting from controversial startup Delve to Vanta for compliance certifications.

This is pretty funny.

The leaked excel sheet with customers of Delve is basically a shortlist of targets for hackers to try now. Not that they necessarily have bad security, but you can play the odds

by nope1000

4/2/2026 at 10:26:06 AM

I am not defending Delve or anything and I hope they get what they deserver but there is no correlation between SOC2 certification and the actual cyber capability of a company. SOC2 and ISO27001 is just compliance and frankly most of it is BS.

by _pdp_

4/2/2026 at 10:55:58 AM

It might feel like BS, and I'm inclined to agree with you because of the security theater aspect. (For example, Mercor had their verification done by what appears to be a legitimate audit firm.)

But it's not useless. It still forces you to go through a very useful exercise of risk modeling and preparation that you most likely won't do without a formal program.

by sebmellen

4/2/2026 at 8:20:08 AM

This is a good reminder that any tool handling sensitive data — even internal ones — needs to be transparent about where data goes. The assumption that SaaS tools protect your data is getting harder to defend.

by aservus

4/2/2026 at 9:30:49 AM

I use llms to read the privacy policies that are too long to read. They guarantee almost nothing, unless you go out of your way to get an sla

by lukewarm707

4/2/2026 at 9:02:50 AM

[dead]

by tazsat0512

4/2/2026 at 8:30:33 AM

[dead]

by devcraft_ai

4/2/2026 at 8:13:39 AM

[dead]

by techpulselab

4/2/2026 at 7:03:54 AM

[flagged]

by ashishb

4/2/2026 at 7:53:18 AM

Docker is not a strong security boundary and shouldn't be used to sandbox like this

https://cloud.google.com/blog/products/gcp/exploring-contain...

by lmc

4/2/2026 at 9:01:56 AM

Confusingly, Docker now has a product called "Docker Sandboxes" [1] which claims to use "microVMs" for sandboxing (separate VM per "agent"), so it's unclear to me if those rely on the same trust boundaries that traditional docker containers do (namespaces, seccomp, capabilities, etc), or if they expect the VM to be the trust boundary.

[1]: https://www.docker.com/products/docker-sandboxes/

by EE84M3i

4/2/2026 at 8:29:39 AM

Compared to what? Which one is superior?

Running npm on your dev machine? Or running npm inside Docker?

I would always prefer the latter but would love to know what your approach to security is that's better than running npm inside Docker.

by ashishb

4/2/2026 at 8:39:47 AM

Read this: https://kayssel.substack.com/p/docker-escape-breaking-out-of...

by lmc

4/2/2026 at 9:41:32 AM

So the worst case is that you are back to running npm on your host. Right?

by ashishb

4/2/2026 at 8:44:14 AM

By all means, run your npm in docker, but please stop telling others it's a secure way to do so.

by lmc

4/2/2026 at 9:42:58 AM

I only said it is a defense-in-depth measure.

I definitely want to know how is it worse than running npm directly on the host

by ashishb

4/2/2026 at 9:55:58 AM

Those aren't the only options, my dude.

by habinero

4/2/2026 at 10:01:47 AM

And what are good options that you use and that work on Linux as well as Mac OS?

by ashishb

4/2/2026 at 7:38:22 AM

[flagged]

by notachatbot123

4/2/2026 at 7:52:08 AM

What makes you think that?

Your cab see the commit history ~10% of code is written by agents.

Rest was all written by me.

Unlike other criticisms of the project, this one feels personal as it is objectively incorrect.

by ashishb

4/2/2026 at 7:57:39 AM

All these commenters just yell AI about every post and comment on here now. They have a worse hit rate than a blind marksman.

by bengale