AI This Week: A Victorian Chatbot, a PyPI Supply Chain Attack, and Text Rendering Magic

A 340-million-parameter model that thinks it's living in 1890. A malicious Python package that tried to backdoor developers' machines. And a new browser library that finally solves the paragraph height problem. This week in AI was equal parts fascinating and terrifying.

TL;DR: Trip Venturella trained a full LLM on 28,000 out-of-copyright Victorian-era British texts and made it publicly available. Meanwhile, a malware-infected version of litellm hit PyPI and was caught by a developer using Claude to inspect it in a Docker container. And Cheng Lou (former React core dev) released Pretext, a tiny library for measuring text layout without touching the DOM.

Mr. Chatterbox: A Victorian-Era LLM You Can Run Locally

What happens when you train a language model exclusively on texts published between 1837 and 1899? You get Mr. Chatterbox, a 340M parameter model that speaks like it stepped out of a Bront novel.

Trip Venturella trained this model from scratch on 28,035 books from the British Library, totaling roughly 2.93 billion tokens. No data from after 1899 touches this model. The vocabulary, phrasing, and ideas are all authentically nineteenth-century.

The model is tiny by LLM standards: just 2.05GB on disk. You can run it locally using Simon Willison's llm-mrchatterbox plugin. Install it with llm install llm-mrchatterbox, then chat with it:

llm chat -m mrchatterbox

Is it useful? Honestly, no. Simon describes it as "more like chatting with a Markov chain than an LLM." The responses have a delightful Victorian flavor, but getting anything that usefully answers a question is a struggle.

The bottleneck is training data. The 2022 Chinchilla paper suggests a 20x ratio of training tokens to parameters. For a 340M model, that means around 7 billion tokens. The British Library corpus has less than 3 billion. You would need 4x more data to get something that feels like a real conversational partner.

But here is what makes this interesting: the training data is entirely public domain. No scraped copyrighted text, no murky licensing. If you could scale this approach to 7 billion tokens of genuinely open material, you would have something remarkable. The corpus exists. Someone just needs the compute.

This is also a proof of concept for a new kind of niche model. What else could you train on? Entire archives of scientific papers before a certain date. All public domain literature. Legal documents from a specific era. The possibilities for domain-specific, legally clean training sets are fascinating.

LiteLLM Malware: The PyPI Supply Chain Attack That Almost Worked

Speaking of things that are not delightful: a malicious version of litellm was uploaded to PyPI on March 24, 2026. The package, version 1.82.8, contained base64-encoded malware designed to execute arbitrary code on developer machines.

Developer Callum McMahon caught it using Claude, running the installation inside an isolated Docker container. The transcript, which he published using Simon Willison's claude-code-transcripts tool, shows Claude identifying the malicious litellm_init.pth file and recommending immediate reporting to security@pypi.org.

The attack vector is classic: a dependency that developers install without scrutiny, executing code during setup. The malware was live on PyPI long enough to potentially infect anyone running pip install litellm or pip install --upgrade litellm.

This is not the first supply chain attack on PyPI and it will not be the last. What is new is how McMahon caught it: using an LLM to reason through the behavior of suspicious code in a sandboxed environment. Claude identified the encoded payload, confirmed it was malicious, and suggested the correct disclosure path.

The lesson here is not new, but it bears repeating: never install random Python packages without thinking. Use virtual environments. Audit your dependencies. And if something feels off, spin up a container and let an LLM help you investigate.

Pretext: Measuring Text Height Without Touching the DOM

Cheng Lou, the former React core developer who created react-motion, released Pretext this week. It solves a problem that sounds simple but is surprisingly hard: calculate how tall a paragraph of text will be without actually rendering it.

The standard approach is to render the text and measure it, but that requires touching the DOM and is extremely expensive. Pretext does it differently. It splits text into segments (words, but accounting for soft hyphens, non-Latin characters, and emoji), measures them using an off-screen canvas, and caches the results. Then it emulates browser word-wrapping logic to figure out how many lines the text will occupy at any given width.

The key insight is the separation between prepare() and layout(). Run prepare() once on a string to build a cache. Then call layout() as many times as you want at different widths, and it will return the height instantly.

import { prepare, layout } from 'pretext';

const prepared = prepare('Your text here goes in this paragraph.');
const height1 = layout(prepared, { width: 400 }); // fast, cached
const height2 = layout(prepared, { width: 600 }); // same cache, different width

Why does this matter? Any time you want to animate text, render it in constrained spaces, or build responsive layouts without DOM thrashing, Pretext makes it possible. Cheng Lou's demo shows dynamic text layouts that would be impossible to achieve with traditional approaches without severe performance penalties.

The library is only a few kilobytes, handles Korean mixed with RTL Arabic, and was tested by rendering the full text of the Great Gatsby across multiple browsers to confirm measurement accuracy.

Sources: Simon Willison, Futuresearch AI, Simon Willison on Pretext, Pretext GitHub, HuggingFace Mr. Chatterbox