Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised

Posted by dot_treo 22 hours ago

Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised(github.com)

About an hour ago new versions have been deployed to PyPI.

I was just setting up a new project, and things behaved weirdly. My laptop ran out of RAM, it looked like a forkbomb was running.

I've investigated, and found that a base64 encoded blob has been added to proxy_server.py.

It writes and decodes another file which it then runs.

I'm in the process of reporting this upstream, but wanted to give everyone here a headsup.

It is also reported in this issue: https://github.com/BerriAI/litellm/issues/24512

664 points | 419 commentspage 7

mikert89 21 hours ago|

Wow this is in a lot of software

eoskx 20 hours ago|

Yep, DSPy and CrewAI have direct dependencies on it. DSPy uses it as its primary library for calling upstream LLM providers and CrewAI falls back to it I believe if the OpenAI, Anthropic, etc. SDKs aren't available.

oncelearner 21 hours ago||

That's a bad supply-chain attack, many folks use litellm as main gateway

rdevilla 21 hours ago|

laughs smugly in vimscript

6thbit 21 hours ago||

Worth exploring safeguard for some: The automatic import can be suppressed using Python interpreter’s -S option.

This would also disable site import so not viable generically for everyone without testing.

zahlman 12 hours ago||

It's not really "automatic import", as described. The exploit is directly contained in the .pth file; Python allows arbitrary code to run from there, with some restrictions that are meant to enforce a bit of sanity for well-meaning users and which don't meaningfully mitigate the security risk.

As described in https://docs.python.org/3/library/site.html :

> Lines starting with import (followed by space or tab) are executed.... The primary intended purpose of executable lines is to make the corresponding module(s) importable (load 3rd-party import hooks, adjust PATH etc).

So what malware can do is put something in a .pth file like

  import sys;exec("evil stringified payload")

and all restrictions are trivially bypassed. It used to not even require whitespace after `import`, so you could even instead do something like

  import_=exec("evil stringified payload")

In the described attack, the imports are actually used; the standard library `subprocess` is leveraged to exec the payload in a separate Python process. Which, since it uses the same Python environment, is also a fork bomb (well, not in the traditional sense; it doesn't grow exponentially, but will still cause a problem).

.pth files have worked this way since 2.1 (comparing https://docs.python.org/2.1/lib/module-site.html to https://docs.python.org/2.0/lib/module-site.html). As far as I can tell there was no PEP for that change.

cpburns2009 20 hours ago||

The 1.82.7 exploit was executed on import. The 1.82.8 exploit used a pth file which is run at start up (module discovery basically).

ilusion 14 hours ago||

Does this mean opencode (and other such agent harnesses that auto update) might also be compromised?

dev_tools_lab 18 hours ago||

Good reminder to pin dependency versions and verify checksums. SHA256 verification should be standard for any tool that makes network calls.

0123456789ABCDE 21 hours ago||

airflow, dagster, dspy, unsloth.ai, polar

saidnooneever 19 hours ago||

just wanna state this can litterally happen to anyone within this messy package ecosystem. maintainer seems to be doing his best

if you have tips i am sure they are welcome. snark remarks are useless. dont be a sourpuss. if you know better, help the remediation effort.

smakosh 16 hours ago||

Checkout LLM Gateway: https://llmgateway.io

Migration guide: https://llmgateway.io/migration/litellm

cpburns2009 21 hours ago||

LiteLLM is now in quarantine on PyPI [1]. Looks like burning a recovery token was worth it.

[1]: https://pypi.org/project/litellm/

lightedman 17 hours ago|

Write it yourself, fuzz/test it yourself, and build it yourself, or be forever subject to this exact issue.

This was taught in the 90s. Sad to see that lesson fading away.

More comments...