LiteLLM Supply Chain Attack: How Unpinned Dependencies Compromised 3.4M Daily Downloads
These articles are AI-generated summaries. Please check the original sources for full details.
⚠️ LiteLLM Supply Chain Attack - What happened?
On March 24, 2026, the LiteLLM library was compromised in a supply chain attack that reached its 3.4 million daily users. The breach originated from a lateral move through Aqua Security’s Trivy and Checkmarx’s KICS projects.
Why This Matters
This incident highlights the critical vulnerability of modern AI stacks that rely on unified proxies installed directly into application runtimes. While LiteLLM simplifies multi-model integration, its position as a central dependency means a single compromised package version can bypass standard security perimeters to harvest environment variables, SSH keys, and Kubernetes tokens across the entire infrastructure. The technical reality of unpinned dependencies in CI/CD pipelines creates a transitive trust model where a breach in a third-party tool like Trivy can lead to the theft of production PyPI publishing tokens. This demonstrates that even if a primary project’s code is secure, its build environment remains a high-value target for lateral movement.
Key Insights
- TeamPCP executed a multi-stage campaign starting with Aqua Security’s Trivy on March 19, 2026, before pivoting to LiteLLM.
- The attack exploited the pull_request_target trigger in GitHub Actions to steal aqua-bot credentials and force-push malicious commits to 75 git tags.
- LiteLLM version 1.82.8 utilized the .pth mechanism in Python’s site-packages to execute malicious code automatically during any interpreter startup.
- The malware used AES-256-CBC encryption for data exfiltration, wrapping the session key with a 4096-bit RSA public key to prevent unauthorized decryption.
- Post-exploitation persistence was achieved via a systemd service named sysmon.service that polled checkmarx.zone for remote commands every 50 minutes.
Working Examples
Installation of the compromised library which allowed the .pth malware to execute on startup.
pip install litellmStandard usage that became a vector for credential harvesting.
import litellm
# The malware in version 1.82.8 ran via litellm_init.pth before this import statement was even reached.Practical Applications
- Use Case: Pinning dependencies to specific git SHAs or hashes in CI/CD pipelines to prevent automated pulling of poisoned tags.
- Pitfall: Using pull_request_target triggers in GitHub Actions without strict checkout controls, leading to credential theft via malicious PRs.
- Use Case: Implementing architectural isolation for LLM gateways to limit the blast radius of compromised application dependencies.
- Pitfall: Storing sensitive API keys and cloud tokens as plain environment variables accessible to any imported Python module.
References:
Continue reading
Next article
Navigating Multi-Stage Security Attacks: Insights from AWS Security Leadership
Related Content
Mini Shai-Hulud Worm: Critical Supply Chain Attack Hits TanStack and npm Ecosystem
The Mini Shai-Hulud worm compromised 170+ packages and 500M+ downloads across npm and PyPI by exploiting GitHub Actions OIDC tokens.
Clinejection: How Prompt Injection Compromised AI Coding Tools for 4,000 Developers
The Clinejection attack turned Cline's GitHub Actions bot into a weapon, installing rogue agents on 4,000 developer machines via malicious npm updates in February 2026.
Compromised dYdX npm and PyPI Packages Deliver Malware
Compromised dYdX npm and PyPI packages delivered wallet-stealing malware and a RAT via poisoned updates in a software supply chain attack, affecting over $1.5 trillion in cumulative trading volume.