Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised

Posted by dot_treo 21 hours ago

Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised(github.com)

About an hour ago new versions have been deployed to PyPI.

I was just setting up a new project, and things behaved weirdly. My laptop ran out of RAM, it looked like a forkbomb was running.

I've investigated, and found that a base64 encoded blob has been added to proxy_server.py.

It writes and decodes another file which it then runs.

I'm in the process of reporting this upstream, but wanted to give everyone here a headsup.

It is also reported in this issue: https://github.com/BerriAI/litellm/issues/24512

621 points | 410 commentspage 6

dec0dedab0de 19 hours ago|

github, pypi, npm, homebrew, cpan, etc etc. should adopt a multi-multi-factor authentication approach for releases. Maybe have it kick in as a requirement after X amount of monthly downloads.

Basically, have all releases require multi-factor auth from more than one person before they go live.

A single person being compromised either technically, or by being hit on the head with a wrench, should not be able to release something malicious that effects so many people.

worksonmine 19 hours ago|

And how would that work for single maintainer projects?

dec0dedab0de 18 hours ago||

They would have to find someone else if they grew too big.

Though, the secondary doesn't necessarily have to be a maintainer or even a contributor on the project. It just needs to be someone else to do a sanity check, to make sure it is an actual release.

Heck, I would even say that as the project grows in popularity, the amount of people required to approve a release should go up.

worksonmine 18 hours ago||

So if I'm developing something I want to use and the community finds it useful but I take no contributions and no feature requests I should have to find another person to deal with?

How do I even know who to trust, and what prevents two people from conspiring together with a long con? Sounds great on the surface but I'm not sure you've thought it through.

dec0dedab0de 18 hours ago||

It wouldn't prevent a project that has a goal of being purposely malicious, just from pushing out releases that aren't actually releases.

As far as who to trust, I could imagine the maintainers of different high-level projects helping each other out in this way.

Though, if you really must allow a single user to publish releases to the masses using existing shared social infrastructure. Then you could mitigate this type of attack by adding in a time delay, with the ability for users to flag. So instead of immediately going live, add in a release date, maybe even force them to mention the release date on an external system as well. The downside with that approach is that it would limit the ability to push out fixes as well.

But I think I am OK with saying if you're a solo developer, you need to bring someone else on board or host your builds yourself.

vikarti 3 hours ago|||

Why not make it _optional_ but implement on github,etc so any publisher could enable this, no matter how small. But also make it possibel to disable either by support request and small wait or by secondary confirmation or via LONG (months) wait.

worksonmine 15 hours ago|||

Or just don't install every package on the earth. The only supply-chain attack I've been affected by is xz, and I don't think anyone was safe from that one. Your solution wouldn't have caught it.

Better to enforce good security standards than cripple the ecosystem.

xinayder 19 hours ago||

When something like this happens, do security researchers instantly contact the hosting companies to suspend or block the domains used by the attackers?

redrove 19 hours ago|

First line of defense is the git host and artifact host scrape the malware clean (in this case GitHub and Pypi).

Domains might get added to a list for things like 1.1.1.2 but as you can imagine that has much smaller coverage, not everyone uses something like this in their DNS infra.

itintheory 14 hours ago||

This threat actor is also using Internet Computer Protocol (ICP) "Canisters" to deliver payloads. I'm not too familiar with the project, but I'm not sure blocking domains in DNS would help there.

ps06756 10 hours ago||

Can someone help enlighten why would someone use LiteLLM over say AWS Bedrock ? Or build a lightweight router and directly connect to the model provider?

nickspacek 20 hours ago||

teampcp taking credit?

https://github.com/krrishdholakia/blockchain/commit/556f2db3...

  - # blockchain
  - Implements a skeleton framework of how to mine using blockchain, including the consensus algorithms.
  + teampcp owns BerriAI

tom-blk 18 hours ago||

Stuff like is happening too much recently. Seems like the more fast paced areas of development would benefit from a paradigm shift

sirl1on 18 hours ago|

Move Slow and Fix Things.

xunairah 19 hours ago||

Version 1.82.7 is also compromised. It doesn't have the pth file, but the payload is still in proxy/proxy_server.py.

segalord 18 hours ago||

LiteLLM has like a 1000 dependencies this is expected https://github.com/BerriAI/litellm/blob/main/requirements.tx...

zahlman 11 hours ago|

Oof. What exactly is supposed to be "lite" about this?

fratellobigio 19 hours ago||

It's been quarantined on PyPI

mikert89 19 hours ago|

Wow this is in a lot of software

eoskx 19 hours ago|

Yep, DSPy and CrewAI have direct dependencies on it. DSPy uses it as its primary library for calling upstream LLM providers and CrewAI falls back to it I believe if the OpenAI, Anthropic, etc. SDKs aren't available.

More comments...