Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised

Posted by dot_treo 19 hours ago

Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised(github.com)

About an hour ago new versions have been deployed to PyPI.

I was just setting up a new project, and things behaved weirdly. My laptop ran out of RAM, it looked like a forkbomb was running.

I've investigated, and found that a base64 encoded blob has been added to proxy_server.py.

It writes and decodes another file which it then runs.

I'm in the process of reporting this upstream, but wanted to give everyone here a headsup.

It is also reported in this issue: https://github.com/BerriAI/litellm/issues/24512

587 points | 403 commentspage 5

saharhash 6 hours ago|

Easy tool to check if you/other repos were expoed https://litellm-compromised.com

0fflineuser 18 hours ago||

I was running it (as a proxy) in my homelab with docker compose using the litellm/litellm:latest image https://hub.docker.com/layers/litellm/litellm/latest/images/... , I don't think this was compromised as it is from 6 months ago and I checked it is the version 1.77.

I guess I am lucky as I have watchtower automatically update all my containers to the latest image every morning if there are new versions.

I also just added it to my homelab this sunday, I guess that's good timing haha.

wswin 17 hours ago||

I will wait with updating anything until this whole trivy case gets cleaned up.

foota 14 hours ago||

Somewhat unrelated, but if I have downloaded node modules in the last couple days, how should I best figure out if I've been hacked?

hmokiguess 17 hours ago||

What’s the best way to identify a compromised machine? Check uv, conda, pip, venv, etc across the filesystem? Any handy script around?

EDIT: here's what I did, would appreciate some sanity checking from someone who's more familiar with Python than I am, it's not my language of choice.

find / -name "litellm_init.pth" -type f 2>/dev/null

find / -path '/litellm-1.82..dist-info/METADATA' -exec grep -l 'Version: 1.82.[78]' {} \; 2>/dev/null

persedes 17 hours ago||

there's probably a more precise way, but if you're on uv:

  rg litellm  --iglob='*.lock'

lukewarm707 14 hours ago||

these days, i just use a private llm. it's very quick and when i see the logs, it does a better job than me for this type of task.

no i don't let it connect to web...

Nayjest 11 hours ago||

Use secure and minimalistic lm-proxy instead:

https://github.com/Nayjest/lm-proxy

``` pip install lm-proxy ```

Guys, sorry, as the author of a competing opensource product, I couldn’t resist

rgambee 18 hours ago||

Seems that the GitHub account of one of the maintainers has been fully compromised. They closed the GitHub issue for this problem. And all their personal repos have been edited to say "teampcp owns BerriAI". Here's one example: https://github.com/krrishdholakia/blackjack_python/commit/8f...

aborsy 13 hours ago||

What is the best way to sandbox LLMs and packages in general, while being able to work on data from outside sandbox (get data in and out easily)?

There is also the need for data sanitation, because the attacker could distribute compromised files through user’s data which will later be run and compromise the host.

ashishb 5 hours ago||

I wrote this[1] for myself last year. It only gives access to the current directory (and a few others - see README). So, it drastically reduces the attack surface of running third-party Python/Go/Rust/Haskell/JS code on your machine.

1 - https://github.com/ashishb/amazing-sandbox

cowpig 13 hours ago||

Just wrote up a quick article on how greywall[0] prevents this attack:

https://greyhaven.co/insights/how-greywall-prevents-every-st...

[0] https://greywall.io/

dec0dedab0de 17 hours ago||

github, pypi, npm, homebrew, cpan, etc etc. should adopt a multi-multi-factor authentication approach for releases. Maybe have it kick in as a requirement after X amount of monthly downloads.

Basically, have all releases require multi-factor auth from more than one person before they go live.

A single person being compromised either technically, or by being hit on the head with a wrench, should not be able to release something malicious that effects so many people.

worksonmine 17 hours ago|

And how would that work for single maintainer projects?

dec0dedab0de 17 hours ago||

They would have to find someone else if they grew too big.

Though, the secondary doesn't necessarily have to be a maintainer or even a contributor on the project. It just needs to be someone else to do a sanity check, to make sure it is an actual release.

Heck, I would even say that as the project grows in popularity, the amount of people required to approve a release should go up.

worksonmine 17 hours ago||

So if I'm developing something I want to use and the community finds it useful but I take no contributions and no feature requests I should have to find another person to deal with?

How do I even know who to trust, and what prevents two people from conspiring together with a long con? Sounds great on the surface but I'm not sure you've thought it through.

dec0dedab0de 16 hours ago||

It wouldn't prevent a project that has a goal of being purposely malicious, just from pushing out releases that aren't actually releases.

As far as who to trust, I could imagine the maintainers of different high-level projects helping each other out in this way.

Though, if you really must allow a single user to publish releases to the masses using existing shared social infrastructure. Then you could mitigate this type of attack by adding in a time delay, with the ability for users to flag. So instead of immediately going live, add in a release date, maybe even force them to mention the release date on an external system as well. The downside with that approach is that it would limit the ability to push out fixes as well.

But I think I am OK with saying if you're a solo developer, you need to bring someone else on board or host your builds yourself.

vikarti 2 hours ago|||

Why not make it _optional_ but implement on github,etc so any publisher could enable this, no matter how small. But also make it possibel to disable either by support request and small wait or by secondary confirmation or via LONG (months) wait.

worksonmine 14 hours ago|||

Or just don't install every package on the earth. The only supply-chain attack I've been affected by is xz, and I don't think anyone was safe from that one. Your solution wouldn't have caught it.

Better to enforce good security standards than cripple the ecosystem.

ps06756 9 hours ago|

Can someone help enlighten why would someone use LiteLLM over say AWS Bedrock ? Or build a lightweight router and directly connect to the model provider?

More comments...