PyPI Supply Chain Attack Compromises LiteLLM, Enabling the Exfiltration of Sensitive Information

Discovered by FutureSearch researcher Callum McMahon, a supply chain attack against LiteLLM on PyPI resulted in over 40 thousand downloads of a compromised version that installed a malicious payload capable of harvesting and exfiltrating sensitive information. LiteLLM is downloaded roughly 3 million times per day.

As Andrej Karpathy noted on X, the malware was capable to exfiltrate SSL and SSH keys, Cloud provider credentials, Kubernetes configurations, Git credentials, API keys, shell history, crypto wallets, and many other kinds of secrets.

As McMahon explains, the attack affected the litellm 1.82.8 package:

It started with my machine stuttering hard, something that really shouldn't be happening on a 48GB Mac. htop taking 10s of seconds to load, CPU pegged at 100%, all signs I'll be working on my local env for a while… After failing to software reset my Mac, I took a final picture for evidence and hard reset.

After promptly reporting the compromised package to the PyPI security team and the LiteLLM maintainers, the affected package where quarantined within approximately 40 minutes. However, the risk extended further, as any packages depending on litellm version 1.82.8 were also indirectly compromised.

According to McMahon, all it took for his system to be compromised was launching a local MCP server through Cursor. This triggered the download of the latest LiteLLM package, which happened to have been compromised just minutes earlier. However, a flaw in the implementation of the malware itself caused the LiteLLM process to recursively fork, eventually bringing McMahon’s system to a complete halt:

The .pth launcher spawns a child Python process via subprocess.Popen, but because .pth files trigger on every interpreter startup, the child re-triggers the same .pth — creating an exponential fork bomb that crashed the machine.

Without this mistake in the implementation, the malware would have gone unnoticed for much longer, noted Karpathy, with much greater damage.

Point Wild, provider of AI-powered cybersecurity, has open-sourced a dependency scanner to help developers assess the impact on their dependencies. The tool, who-touched-my-packages (wtmp), combines behavioral analysis and AI-driven detection to flag zero-day supply-chain threats, going beyond the coverage offered by conventional vulnerabilities checkers.

FutureSearch released a litellm-checker tool to help package maintainers determine whether their projects were impacted by the supply chain attack.

The LiteLLM team reported that the supply chain attack was enabled by a vulnerability in Trivy, which made it possible for the attackers to gain unauthorized access to the LiteLLM publishing pipeline.

For additional details on the supply chain attack and the malicious payload deployed by the malware, see McMahon's original post and Snyk's detailed analysis.

About the Author

Sergio De Simone

Show moreShow less