Prodigy Company Plugins depends on DSpy, which has litellm as a subdependency. On March 24 litellm was compromised by a supply chain attack: Supply Chain Attack in litellm 1.82.8 on PyPI
According to our download server logs no installations of Prodigy Company Plugins occurred during the affected period, so we don’t believe any users were affected. However if you have the wheels on disk and you happened to install today you should check whether you received a compromised version.
We’ve always worked hard to keep control of our dependency trees and we’ve been tightening our own security measures in response to the increasing prevalence of these supply-chain attacks. Unfortunately there’s only so much we can do, because we can’t restrict our version ranges entirely or the software will be too difficult to install in combination with the rest of the ecosystem.