by detente18
19 subcomments
- LiteLLM maintainer here, this is still an evolving situation, but here's what we know so far:
1. Looks like this originated from the trivvy used in our ci/cd - https://github.com/search?q=repo%3ABerriAI%2Flitellm%20trivy...
https://ramimac.me/trivy-teampcp/#phase-09
2. If you're on the proxy docker, you were not impacted. We pin our versions in the requirements.txt
3. The package is in quarantine on pypi - this blocks all downloads.
We are investigating the issue, and seeing how we can harden things. I'm sorry for this.
- Krrish
by jFriedensreich
21 subcomments
- We just can't trust dependencies and dev setups. I wanted to say "anymore" but we never could. Dev containers were never good enough, too clumsy and too little isolation. We need to start working in full sandboxes with defence in depth that have real guardrails and UIs like vm isolation + container primitives and allow lists, egress filters, seccomp, gvisor and more but with much better usability. Its the same requirements we have for agent runtimes, lets use this momentum to make our dev environments safer! In such an environment the container would crash, we see the violations, delete it and dont' have to worry about it. We should treat this as an everyday possibility not as an isolated security incident.
by postalcoder
3 subcomments
- FYI, npm/bun/pnpm/uv now all support setting a minimum release age for packages.
I updated my global configs to set min release age to 7 days:
~/.config/uv/uv.toml
exclude-newer = "7 days"
~/.npmrc
min-release-age=7 # days
~/Library/Preferences/pnpm/rc
minimum-release-age=10080 # minutes
~/.bunfig.toml
[install]
minimumReleaseAge = 604800 # seconds
by dweinstein
2 subcomments
- https://github.com/dweinstein/canary
I made this tool for macos systems that helps detect when a package accesses something it shouldn't. it's a tiny go binary (less than 2k LOC) with no dependencies that will mount a webdav filesystem (no root) or NFS (root required) with fake secrets and send you a notification when anything accesses it. Very stupid simple. I've always really liked the canary/honeypot approach and this at least may give some folks a chance to detect (similar to like LittleSnitch) when something strange is going on!
Next time the attack may not have an obvious performance issue!
- This is tied to the TeamPCP activity over the last few weeks. I've been responding, and keeping an up to date timeline. I hope it might help folks catch up and contextualize this incident:
https://ramimac.me/trivy-teampcp/#phase-09
- Besides main issue here, and the owners account being possibly compromised as well, there's like 170+ low quality spam comments in there.
I would expect better spam detection system from GitHub. This is hardly acceptable.
- I've been waiting for something like this to happen. It's just too easy to pull off. I've been hard-pinning all of my versions of dependencies and using older versions in any new projects I set up for a little while, because they've generally at least been around long enough to vet. But even that has its own set of risks (for example, what if I accidently pin a vulnerable version). Either that, or I fork everything, including all the deps, run LLMs over the codebase to vet everything.
Even still though, we can't really trust any open-source software any more that has third party dependencies, because the chains can be so complex and long it's impossible to vet everything.
It's just too easy to spam out open-source software now, which also means it's too easy to create thousands of infected repos with sophisticated and clever supply chain attacks planted deeply inside them. Ones that can be surfaced at any time, too. LLMs have compounded this risk 100x.
- This is exactly what worries me about autonomous agents.
A compromised package is bad. An agent that autonomously
runs pip install with that package is a different problem.
The attack surface moves with the agent.
- It will only take one agent-led compromise to get some Claude-authored underhanded C into llvm or linux or something and then we will all finally need to reflect on trusting trust at last and forevermore.
by intothemild
3 subcomments
- I just installed Harbor, and it instantly pegged my cpu.. i was lucky to see my processes before the system hard locked.
Basically it forkbombed `grep -r rpcuser\rpcpassword` processes trying to find cryptowallets or something. I saw that they spawned from harness, and killed it.
Got lucky, no backdoor installed here from what i could make out of the binary
- Also, not surprising that LiteLLM's SOC2 auditor was Delve. The story writes itself.
- This looks like the same TeamPCP that compromised Trivy. Notice how the issue is full of bot replies. It was the same in Trivy’s case.
This threat actor seems to be very quickly capitalising on stolen credentials, wouldn’t be surprised if they’re leveraging LLMs to do the bulk of the work.
- Look like the Founder and CTO account has been compromised.
https://github.com/krrishdholakia
by tom_alexander
5 subcomments
- Only tangentially related: Is there some joke/meme I'm not aware of? The github comment thread is flooded with identical comments like "Thanks, that helped!", "Thanks for the tip!", and "This was the answer I was looking for."
Since they all seem positive, it doesn't seem like an attack but I thought the general etiquette for github issues was to use the emoji reactions to show support so the comment thread only contains substantive comments.
- A general question - how do frontier AI companies handle scenarios like this in their training data? If they train their models naively, then training data injection seems very possible and could make models silently pwn people.
Do the labs label code versions with an associated CVE to label them as compromised (telling the model what NOT to do)? Do they do adversarial RL environments to teach what's good/bad? I'm very curious since it's inevitable some pwned code ends up as training data no matter what.
- The scariest part is LiteLLM is a transitive dependency. The person who found it wasn't even using LiteLLM directly, it got pulled in by a Cursor MCP plugin. The supply chain attack surface for AI tooling is massive because these packages get pulled in as dependencies of dependencies and nobody audits transitive installs.
- Looks like all of the LiteLLM CEO’s public repos have been updated with the description “teampcp owns BerriAI” https://github.com/krrishdholakia
by santiagobasulto
2 subcomments
- I blogged about this last year[0]...
> ### Software Supply Chain is a Pain in the A*
> On top of that, the room for vulnerabilities and supply chain attacks has increased dramatically
AI Is not about fancy models, is about plain old Software Engineering. I strongly advised our team of "not-so-senior" devs to not use LiteLLM or LangChain or anything like that and just stick to `requests.post('...')".
[0] https://sb.thoughts.ar/posts/2025/12/03/ai-is-all-about-soft...
by Bullhorn9268
0 subcomment
- I am from futuresearch and went through this with Callum (the OG). We did a small analysis here: https://futuresearch.ai/blog/litellm-hack-were-you-one-of-th... of the packages and also build this mini tool to analyze the likelihood of you getting pwned through this: https://futuresearch.ai/tools/litellm-checker/
- Their previous release would be easily caught by static analysis. PTH is a novel technique.
Run all your new dependencies through static analysis and don't install the latest versions.
I implemented static analysis for Python that detects close to 90% of such injections.
https://github.com/rushter/hexora
by syllogism
2 subcomments
- Maintainers need to keep a wall between the package publishing and public repos. Currently what people are doing is configuring the public repo as a Trusted Publisher directly. This means you can trigger the package publication from the repo itself, and the public repo is a huge surface area.
Configure the CI to make a release with the artefacts attached. Then have an entirely private repo that can't be triggered automatically as the publisher. The publisher repo fetches the artefacts and does the pypi/npm/whatever release.
- This is bad, especially from a downstream dependency perspective. DSPy and CrewAI also import LiteLLM, so you could not be using LiteLLM as a gateway, but still importing it via those libraries for agents, etc.
- Was curious—good number of projects out there with an un-pinned LiteLLM dependencies in their requirements.txt (628 matches): https://github.com/search?q=path%3A*%2Frequirements.txt%20%2...
or pyproject.toml (not possible to filter based on absence of a uv.lock, but at a glance it's missing from many of these): https://github.com/search?q=path%3A*%2Fpyproject.toml+%22%5C...
or setup.py: https://github.com/search?q=path%3A*%2Fsetup.py+%22%5C%22lit...
by sschueller
7 subcomments
- Does anyone know a good alternate project that works similarly (share multipple LLMs across a set of users)? LiteLLM has been getting worse and trying to get me to upgrade to a paid version. I also had issues with creating tokens for other users etc.
- More details here: https://futuresearch.ai/blog/litellm-pypi-supply-chain-attac...
by cpburns2009
2 subcomments
- You can see it for yourself here:
https://inspector.pypi.io/project/litellm/1.82.8/packages/fd...
- I wonder at what point ecosystems just force a credential rotation. Trivy and now LiteLLM have probably cleaned out a sizable number of credentials, and now it's up to each person and/or team to rotate. TeamPCP is sitting on a treasure trove of credentials and based on this, they're probably carefully mapping out what they can exploit and building payloads for each one.
It would be interesting if Python, NPM, Rubygems, etc all just decided to initiate an ecosystem-wide credential reset. On one hand, it would be highly disruptive. On the other hand, it would probably stop the damage from spreading.
- We just analysed the payload. Technical details here: https://safedep.io/malicious-litellm-1-82-8-analysis/
We are looking at similar attack vectors (pth injection), signatures etc. in other PyPI packages that we know of.
by santiago-pl
0 subcomment
- It looks like Trivy was compromised at least five days ago. https://www.wiz.io/blog/trivy-compromised-teampcp-supply-cha...
by postalcoder
2 subcomments
- This is a brutal one. A ton of people use litellm as their gateway.
- Does the Python ecosystem have anything like pnpm’s minimumReleaseAge setting? Maybe I’m being overly paranoid, but it feels like every internet-facing ecosystem should have something like this.
by mark_l_watson
1 subcomments
- A question from a non-python-security-expert: is committing uv.lock files for specific versions, and only infrequently updating versions a reasonable practice?
- CrewAI (uses litellm) pinned it to 1.82.6 (last good version) 5 hours ago but the commit message does not say anything about a potential compromise. This seems weird. Is it a coincidence? Shouldn’t users be warned about a potential compromise?
https://github.com/crewAIInc/crewAI/commit/8d1edd5d65c462c3d...
- title is bit misleading.
The package was directly compromised, not “by supply chain attack”.
If you use the compromised package, your supply chain is compromised.
- If it was not spinning so many Python processes and not overwhelming the system with those (friends found out this is consuming too much CPU from the fan noise!) it would have been much more successful. So similar to xz attack
it does a lot of CPU intensive work
spawn background python
decode embedded stage
run inner collector
if data collected:
write attacker public key
generate random AES key
encrypt stolen data with AES
encrypt AES key with attacker RSA pubkey
tar both encrypted files
POST archive to remote host
- Looking forward to a Veritasium video about this in the future, like the one they recently did about the xz backdoor.
- What's with the hundreds of comments like "This was the answer I was looking for." in that GitHub thread?
They also seem to be spilling into HN [1].
Runaway AI agents? A meme I'm to old to understand?
[1] https://news.ycombinator.com/item?id=47508315
by vlovich123
0 subcomment
- I maintain that GitHub does a piss poor job of hardening CI so that one step getting compromised doesn’t compromise all possible secrets. There’s absolutely no need for the GitHub publishing workflow to run some third party scanner and the third party scanner doesn’t need access to your pypi publishing tokens.
This stupidity is squarely on GitHub CI. Trivy is also bad here but the blast radius should have been more limited.
by noobermin
1 subcomments
- I have to say, the long line of comments from obvious bots thanking the opener of the issue is a bit too on the nose.
- > the compromise originated from the Trivy dependency used in our CI/CD security scanning workflow.
What is the source of compromise?
Does anyone have a list of other compromised projects?
by cpburns2009
0 subcomment
- Looks like litellm is no longer in quarantine on PyPI, and the compromized versions (1.82.7 and 1.82.8) have been removed [1].
[1]: https://pypi.org/project/litellm/#history
by 0fflineuser
0 subcomment
- I was running it (as a proxy) in my homelab with docker compose using the litellm/litellm:latest image https://hub.docker.com/layers/litellm/litellm/latest/images/... , I don't think this was compromised as it is from 6 months ago and I checked it is the version 1.77.
I guess I am lucky as I have watchtower automatically update all my containers to the latest image every morning if there are new versions.
I also just added it to my homelab this sunday, I guess that's good timing haha.
by datadrivenangel
0 subcomment
- This among with some other issues makes me consider ejecting and building my own LLM shim. The different model providers are bespoke enough even within litellm that it sometimes seems like a lot of hassle for not much benefit.
Also the repo is so active that it's very hard to understand the state of issues and PRs, and the 'day 0' support for GPT-5.4-nano took over a week! Still, tough situation for the maintainers who got hacked.
- I will wait with updating anything until this whole trivy case gets cleaned up.
by agentictrustkit
0 subcomment
- I think this gets a lot worse when we look at it from an agentic perspective. Like when a dev person hits a compromising package, there's usually a "hold on, that's weird" moment before a catastrophe. An agent doesn't have that instinct.
Oh boy supply chain integrity will be an agent governenace problem, not just a devops one. If you send out an agent that can autonomously pull packages, do code, or access creds, then the blast radius of compromises widens. That's why I think there's an argument for least-privilege by default--agents should have scoped, auditable authority over what they can install and execute, and approval for anything outside the boundaries.
by hmokiguess
2 subcomments
- What’s the best way to identify a compromised machine? Check uv, conda, pip, venv, etc across the filesystem? Any handy script around?
EDIT: here's what I did, would appreciate some sanity checking from someone who's more familiar with Python than I am, it's not my language of choice.
find / -name "litellm_init.pth" -type f 2>/dev/null
find / -path '/litellm-1.82..dist-info/METADATA' -exec grep -l 'Version: 1.82.[78]' {} \; 2>/dev/null
- Seems that the GitHub account of one of the maintainers has been fully compromised. They closed the GitHub issue for this problem. And all their personal repos have been edited to say "teampcp owns BerriAI". Here's one example: https://github.com/krrishdholakia/blackjack_python/commit/8f...
- Somewhat unrelated, but if I have downloaded node modules in the last couple days, how should I best figure out if I've been hacked?
by dec0dedab0de
2 subcomments
- github, pypi, npm, homebrew, cpan, etc etc. should adopt a multi-multi-factor authentication approach for releases. Maybe have it kick in as a requirement after X amount of monthly downloads.
Basically, have all releases require multi-factor auth from more than one person before they go live.
A single person being compromised either technically, or by being hit on the head with a wrench, should not be able to release something malicious that effects so many people.
by dev_tools_lab
0 subcomment
- Good reminder to pin dependency versions and verify
checksums. SHA256 verification should be standard
for any tool that makes network calls.
- When something like this happens, do security researchers instantly contact the hosting companies to suspend or block the domains used by the attackers?
by nickspacek
0 subcomment
- teampcp taking credit?
https://github.com/krrishdholakia/blockchain/commit/556f2db3...
- # blockchain
- Implements a skeleton framework of how to mine using blockchain, including the consensus algorithms.
+ teampcp owns BerriAI
- What is the best way to sandbox LLMs and packages in general, while being able to work on data from outside sandbox (get data in and out easily)?
There is also the need for data sanitation, because the attacker could distribute compromised files through user’s data which will later be run and compromise the host.
- Stuff like is happening too much recently. Seems like the more fast paced areas of development would benefit from a paradigm shift
- Version 1.82.7 is also compromised. It doesn't have the pth file, but the payload is still in proxy/proxy_server.py.
- Use secure and minimalistic lm-proxy instead:
https://github.com/Nayjest/lm-proxy
```
pip install lm-proxy
```
Guys, sorry, as the author of a competing opensource product, I couldn’t resist
- Easy tool to check if you/other repos were expoed https://litellm-compromised.com
by getverdict
0 subcomment
- Supply chain compromises in AI tooling are becoming structural, not exceptional.
We've seen similar patterns in the last 6 months — Zapier's npm account
(425 packages, Shai Hulud malware) and Dify's React2Shell incident both
followed the same vector: a trusted package maintainer account as the entry
point. The blast radius keeps growing as these tools get embedded deeper
into production pipelines.
- LiteLLM has like a 1000 dependencies this is expected
https://github.com/BerriAI/litellm/blob/main/requirements.tx...
- I have older versions of litellm installed on my system - it appears to be a dependency for aider-chat (at least on NixOS)
- So now we feel the need to add malware protection into the CI, like we put comodo on windows 7 and pray while surfing shady torrent websites ?
It is pretty ironic that an extra tool used to protect against threats gets compromised and creates an even bigger threat.
Some here talks about better isolation during development, CI, but the surface area is huge, and probably impractical. Even if the CI is well isolated, the produced package is compromised.
What about reducing the number of dependencies ? Integrating core functionalities in builtin language libraries ? Avoiding frequent package updates ? Avoiding immature/experimental packages from developers of unknown reliability ?
Those issues are grave. I see no future when those get rarer, and I am afraid they may wipe the open-source movement credibility.
- Can someone help enlighten why would someone use LiteLLM over say AWS Bedrock ?
Or build a lightweight router and directly connect to the model provider?
by fratellobigio
0 subcomment
- It's been quarantined on PyPI
- Wow this is in a lot of software
by oncelearner
1 subcomments
- That's a bad supply-chain attack, many folks use litellm as main gateway
- Worth exploring safeguard for some: The automatic import can be suppressed using Python interpreter’s -S option.
This would also disable site import so not viable generically for everyone without testing.
- my takeaway from this is that it should now be MANDATORY to have an LLM do a scan on the entire codebase prior to release or artifact creation. do NOT use third party plugins for this. it's so easy to create your own github action to digest the whole codebase and inspect third party code. it costs tokens yes but it's also cached and should be negligible spend for the security it brings.
- Does this mean opencode (and other such agent harnesses that auto update) might also be compromised?
- I reviewed the LiteLLM source a while back. Without wanting to be mean, it was a mess. Steered well clear.
by 0123456789ABCDE
0 subcomment
- airflow, dagster, dspy, unsloth.ai, polar
by gaborbernat
0 subcomment
- Recommend reading related blog post https://bernat.tech/posts/securing-python-supply-chain
by saidnooneever
0 subcomment
- just wanna state this can litterally happen to anyone within this messy package ecosystem. maintainer seems to be doing his best
if you have tips i am sure they are welcome. snark remarks are useless. dont be a sourpuss. if you know better, help the remediation effort.
by cpburns2009
0 subcomment
- LiteLLM is now in quarantine on PyPI [1]. Looks like burning a recovery token was worth it.
[1]: https://pypi.org/project/litellm/
- are there any timestamps available when the malicious versions were published on pypi? I can't find anything but that now the last "good" version was published on march 22.
- Checkout LLM Gateway: https://llmgateway.io
Migration guide: https://llmgateway.io/migration/litellm
by lightedman
0 subcomment
- Write it yourself, fuzz/test it yourself, and build it yourself, or be forever subject to this exact issue.
This was taught in the 90s. Sad to see that lesson fading away.
- We need real sandboxing. Out-of-process sandboxing, not in-process. The attacks are only going to get worse.
That's why I'm building https://github.com/kstenerud/yoloai
by Imustaskforhelp
0 subcomment
- Our modern economy/software industry truly runs on egg-shells nowadays that engineers accounts are getting hacked to create a supply-chain attack all at the same time that threat actors are getting more advanced partially due to helps of LLM's.
First Trivy (which got compromised twice), now LiteLLM.
- whats up with the hundreds of bot replys on github to this?
by hmokiguess
0 subcomment
- what's up with everyone in the issue thread thanking it, is this an irony trend or is that a flex on account takeover from teampcp? this feels wild
by faxanalysis
0 subcomment
- This is secure bug impacting PyPi v1.82.7, v1.82.8. The idea of bracketing r-w-x mod package permissions for group id credential where litellm was installed.
- pretty horrifying. I only use it as lightweight wrapper and will most likely move away from it entirely. Not worth the risk
- Exactly what I needed, thanks.
by gkfasdfasdf
0 subcomment
- Someone needs to go to prison for this.
- How were they compromised? Phishing?
- LiteLLM's SOC2 auditor was Delve :))
by otabdeveloper4
2 subcomments
- LiteLLM is the second worst software project known to man. (First is LangChain. Third is OpenClaw.)
I'm sensing a pattern here, hmm.
by danielvaughn
0 subcomment
- I work with security researchers, so we've been on this since about an hour ago. One pain I've really come to feel is the complexity of Python environments. They've always been a pain, but in an incident like this, where you need to find whether an exact version of a package has ever been installed on your machine. All I can say is good luck.
The Python ecosystem provides too many nooks and crannies for malware to hide in.
- Thank you for posting this, interesting.
I hope that everyone's course of action will be uninstalling this package permanently, and avoiding the installation of packages similar to this.
In order to reduce supply chain risk not only does a vendor (even if gratis and OS) need to be evaluated, but the advantage it provides.
Exposing yourself to supply chain risk for an HTTP server dependency is natural. But exposing yourself for is-odd, or whatever this is, is not worth it.
Remember that you are programmers and you can just program, you don't need a framework, you are already using the API of an LLM provider, don't put a hat on a hat, don't get killed for nothing.
And even if you weren't using this specific dependency, check your deps, you might have shit like this in your requirements.txt and was merely saved by chance.
An additional note is that the dev will probably post a post-mortem, what was learned, how it was fixed, maybe downplay the thing. Ignore that, the only reasonable step after this is closing a repo, but there's no incentive to do that.
by Blackthorn
1 subcomments
- Edit: ignore this silliness, as it sidesteps the real problem. Leaving it here because we shouldn't remove our own stupidity.
It's pretty disappointing that safetensors has existed for multiple years now but people are still distributing pth files. Yes it requires more code to handle the loading and saving of models, but you'd think it would be worth it to avoid situations like this.
- Now I feel lucky that I switched to just using OpenRouter a year ago because LiteLLM was incredible flaky and kept causing outages.
by somehnguy
1 subcomments
- Perhaps I'm missing something obvious - but what's up with the comments on the reported issue?
Hundreds of downvoted comments like "Worked like a charm, much appreciated.", "Thanks, that helped!", and "Great explanation, thanks for sharing."
- Am I the only one having feeling that with LLM-era we have now bigger amount of malicious software lets say parsers/fetchers of credentials/ssh/private keys?
And it is easier to produce them and then include in some 3rd party open-source software? Or it is just our attention gets focused on such things?
- I recommend scanning all of your projects with osv-scanner in non-blocking mode
# add any dependency file patterns
osv-scanner -r .
as your projects mature, add osv-scanner as a blocking step to fail your installs before the code gets installed / executed.
- What is happening in this issue thread? Why are there 100+ satisfied slop comments?
- good i was too lazy to bump versions
- Tried running the compromised package inside Greywall, because theoretically it should mitigate everything but in practice it just forkbombs itself?
- What do we have here? Unaudited software completely compromised with a fake SOC 2 and ISO 27001 certification.
An actual infosec audit would have rigorously enforced basic security best practices in preventing this supply chain attack.
[0] https://news.ycombinator.com/item?id=47502754
- Oooof another one. I think i will lock my deps to versions at least 3 months old.
- helpful
- [dead]
- [dead]
by riteshkew1001
0 subcomment
- [dead]
by federicodeponte
0 subcomment
- [dead]
by rafaamaral
0 subcomment
- [dead]
- [dead]
by jamiemallers
0 subcomment
- [dead]
by aplomb1026
0 subcomment
- [dead]
by skillflow_ai
0 subcomment
- [dead]
by builderhq_io
0 subcomment
- [dead]
- [dead]
by devnotes77
0 subcomment
- [dead]
by matrixgard
0 subcomment
- [dead]
by peytongreen_dev
0 subcomment
- [flagged]
- [dead]
- [dead]
- [dead]
- [dead]
by openclaw01
0 subcomment
- [dead]
- [dead]
by aistackkit
0 subcomment
- [dead]
by qcautomation
0 subcomment
- [dead]
- [dead]
- [flagged]
by thibault000
0 subcomment
- [dead]
by Adam_cipher
0 subcomment
- [dead]
- [dead]
- [dead]
- [dead]
- [dead]
by hahaddmmm12x
1 subcomments
- [flagged]
by iamnotai666
0 subcomment
- [dead]
- I've been developing an alternative to LiteLLM. Javascript. No dependencies. https://github.com/johnhenry/ai.matey/
- Reminded me of a similar story at openSSH, wonderfully documented in a "Veritasium" episode, which was just fascinating to watch/listen.
https://www.youtube.com/watch?v=aoag03mSuXQ
Hacker News