LiteLLM Hit by PyPI Supply Chain Attack, SlowMist CSO Warns
According to incident and security reports, malicious LiteLLM releases on PyPI searched for crypto wallets, Solana validator files and cloud secrets, expanding concerns over exposure from a widely used AI developer dependency.
New reporting on the LiteLLM PyPI supply chain attack says two malicious versions, 1.82.7 and 1.82.8, were published on March 24 after a maintainer account was compromised, with version 1.82.8 using a .pth file to execute code automatically whenever Python started. Security analysis said the payload explicitly searched for Bitcoin wallet files, Ethereum keystores, Solana CLI and validator material, SSH keys, cloud credentials and Kubernetes secrets, while also attempting persistence and privileged cluster access. FutureSearch estimated 46,996 downloads in 46 minutes, including 32,464 for version 1.82.8, and found 2,337 dependent PyPI packages, 88% of which allowed the compromised version range at the time. PyPI later quarantined the releases, LiteLLM removed them, rotated maintainer credentials and engaged Mandiant, but affected teams were warned to treat environments exposed on March 24 as fully compromised and rotate or revoke accessible secrets.
- PyPI supply chain attack: A compromise in which malicious package versions are distributed through the Python Package Index, exposing downstream users and dependent software.
- .pth file: A Python path configuration file that can contain executable lines, allowing code to run automatically at Python startup.
- Ethereum keystores: Encrypted files that store Ethereum account private keys and can enable signing access if attackers also obtain required passwords or related secrets.