%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
On March 24, a major security incident occurred in the AI open-source ecosystem. The well-known Python library litellm was implanted with malicious code on the PyPI platform, constituting a typical supply chain attack. The attack does not require active invocation; simply installing the library can trigger it, resulting in a wide-ranging impact.
Core of the Incident: litellm was implanted with an automatically executed backdoor
The affected version is 1.82.8 (released at 10:52 UTC), which includes a malicious file named litellm_init.pth. This file automatically loads and executes every time a Python process starts. Even if developers never manually import litellm, if their project indirectly depends on this library, they will be immediately compromised. The subsequent version 1.82.7 (released at 10:39 UTC) was also contaminated.
Why is litellm a high-value target?
litellm is a Python library that unifies the calling of APIs from multiple large model providers. It has over 40,000 stars on GitHub and monthly downloads exceeding 95 million. Over 2,000 open-source packages have listed it as a dependency, including mainstream AI toolchains such as DSPy, MLflow, and Open Interpreter. Many developers may have never actively installed it but may have unknowingly introduced this risk point.
Malicious Code Behavior: Systematic Theft of Sensitive Credentials
The malicious payload scans and steals sensitive information from the host, including:
- SSH keys
- AWS/GCP/Azure cloud credentials
- Kubernetes keys
- Environment variable files
- Database configurations
- Cryptocurrency wallets
The data is encrypted and packaged before being sent to a domain controlled by the attacker. If the Kubernetes environment is detected, the malicious code will also use service account tokens to automatically deploy privileged Pods across cluster nodes, enabling horizontal spread and further amplifying the threat.
The Discovery Process Is Highly Ironical: The Attacker "Bug" Exposed Itself
The exposure of the attack originated from an accidental fork bomb. Researchers were using the MCP plugin in the Cursor editor when the malicious .pth file triggered repeatedly in a Python sub-process due to the plugin's indirect dependency on litellm, causing memory to be exhausted instantly. This "self-destruction" quickly brought the incident to light. Renowned AI expert Andre Karpathy pointed out that had the attacker not made this mistake in their code, the poisoning might have remained undetected for days or even weeks.
Attack Chain Tracing: Trivy Is the Starting Point of the Supply Chain Collapse
The root cause directly points to litellm's CI/CD process — it used the Trivy vulnerability scanning tool. Trivy had already been compromised by the same attack group, TeamPCP, as early as March 19. Attackers stole litellm's PyPI publishing token through the compromised Trivy and directly pushed the malicious version. Previously, on March 23, Checkmarx KICS was also attacked by the same group. Security researcher Gal Nagli commented that the open-source supply chain has now experienced a chain reaction collapse. The compromise of Trivy directly led to litellm being compromised, with credentials from tens of thousands of production environments falling into the hands of attackers and becoming new ammunition for future attacks.
The Attacker's "Silencing" Operation Failed
After the first issue reports appeared on GitHub, the attacker used 73 stolen accounts to post 88 spam comments within 102 seconds, attempting to drown out the discussion, and then used stolen maintainer permissions to forcibly close the issue. The community quickly moved the discussion to the Hacker News platform and continued tracking the event.
Expert Opinion: Supply Chain Attacks Are the Most Terrifying Invisible Threat
Karpathy reiterated the risks of software dependencies through this incident: "Every time we introduce an external package, we may be planting a time bomb that could be poisoned deep in the dependency tree." He stated that he will increasingly prefer to let large models generate simple function code directly rather than rely on third-party libraries in the future.
Urgent Security Recommendations
AIbase reminds all AI developers:
- Immediately run pip show litellm to check the version; the last safe version is 1.82.6;
- If versions 1.82.7 or 1.82.8 are found, consider all credentials as leaked, immediately rotate them all including SSH keys, cloud credentials, and K8s tokens;
- Clean up the affected environment, rebuild containers or virtual machines, and enhance supply chain audits.
This incident once again sounds the alarm for open-source supply chain security. In today's era where AI toolchains heavily rely on third-party libraries, every dependency introduced must be approached with the highest level of vigilance.