Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised

Posted by dot_treo 1 day ago

Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised(github.com)

About an hour ago new versions have been deployed to PyPI.

I was just setting up a new project, and things behaved weirdly. My laptop ran out of RAM, it looked like a forkbomb was running.

I've investigated, and found that a base64 encoded blob has been added to proxy_server.py.

It writes and decodes another file which it then runs.

I'm in the process of reporting this upstream, but wanted to give everyone here a headsup.

It is also reported in this issue: https://github.com/BerriAI/litellm/issues/24512

779 points | 447 commentspage 10

zhisme 1 day ago|

Am I the only one having feeling that with LLM-era we have now bigger amount of malicious software lets say parsers/fetchers of credentials/ssh/private keys? And it is easier to produce them and then include in some 3rd party open-source software? Or it is just our attention gets focused on such things?

tonymet 17 hours ago||

I recommend scanning all of your projects with osv-scanner in non-blocking mode

   # add any dependency file patterns
   osv-scanner -r .

as your projects mature, add osv-scanner as a blocking step to fail your installs before the code gets installed / executed.

iwhalen 1 day ago||

What is happening in this issue thread? Why are there 100+ satisfied slop comments?

bakugo 1 day ago||

Attackers trying to stifle discussion, they did the same for trivy: https://github.com/aquasecurity/trivy/discussions/10420

Imustaskforhelp 1 day ago||

I have created an comment to hopefully steer the discussion towards hackernews if the threat actor is stifling genuine comments in github by spamming that thread with 100's of accounts

https://github.com/BerriAI/litellm/issues/24512#issuecomment...

cirego 1 day ago|||

First thing I noticed too.

kevml 1 day ago|||

Potentially compromised?

nubg 1 day ago||

Are they trying to slide stuff down? but it just bumps stuff up?

cowpig 21 hours ago||

Tried running the compromised package inside Greywall, because theoretically it should mitigate everything but in practice it just forkbombs itself?

deep_noz 1 day ago||

good i was too lazy to bump versions

jadamson 1 day ago|

In case you missed it, according to the OP, the previous point release (1.82.7) is also compromised.

dot_treo 1 day ago||

Yeah, that release has the base64 blob, but it didn't contain the pth file that auto triggers the malware on import.

jadamson 1 day ago||

The latest version with the the pth file doesn't require an import to trigger the exploit (just having the package installed is enough thanks to [1]).

The previous version triggers on `import litellm.proxy`

Again, all according to the issue OP.

[1] https://docs.python.org/3/library/site.html

rvz 21 hours ago||

What do we have here? Unaudited software completely compromised with a fake SOC 2 and ISO 27001 certification.

An actual infosec audit would have rigorously enforced basic security best practices in preventing this supply chain attack.

[0] https://news.ycombinator.com/item?id=47502754

arrty88 15 hours ago||

Oooof another one. I think i will lock my deps to versions at least 3 months old.

otabdeveloper4 1 day ago||

LiteLLM is the second worst software project known to man. (First is LangChain. Third is OpenClaw.)

I'm sensing a pattern here, hmm.

ting0 19 hours ago||

LLMs recommend LiteLLM, so its popularity will only continue.

nickvec 1 day ago||

Not familiar with LangChain besides at a surface level - what makes it the worst software project known to man?

eoskx 1 day ago|||

LangChain at least has its own layer for upstream LLM provider calls, which means it isn't affected by this supply chain compromise. DSPy uses LiteLLM as its primary way to call OpenAI, etc. and CrewAI imports it, too, but I believe it prefers the vendor libraries directly before it falls back to LiteLLM.

otabdeveloper4 20 hours ago|||

You have to see it to believe it. Feel the vibes.

More comments...