My minute-by-minute response to the LiteLLM malware attack

Posted by Fibonar 5 hours ago

My minute-by-minute response to the LiteLLM malware attack(futuresearch.ai)

Related: Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised - https://news.ycombinator.com/item?id=47501426 (483 comments)

174 points | 80 commentspage 2

hmokiguess 2 hours ago|

Does anyone have an idea of the impact of this out there? I am curious to the extent of the damage done by this

S0y 3 hours ago||

> Where did the litellm files come from? Do you know which env? Are there reports of this online?

> The litellm_init.pth IS in the official package manifest — the RECORD file lists it with a sha256 hash. This means it was shipped as part of the litellm==1.82.8 wheel on PyPI, not injected locally.

> The infection chain:

> Cursor → futuresearch-mcp-legacy (v0.6.0) → litellm (v1.82.8) → litellm_init.pth

This is the scariest part for me.

RALaBarge 3 hours ago|

Maybe the people who use emacs for everything are the only safe ones?

darkstarsys 2 hours ago||

straight and elpaca etc. are just as vulnerable. Maybe more so.

Bullhorn9268 3 hours ago||

The fact pypi reacted so quickly and quarantined the package in like 30 minutes after the report is pretty great!

ddp26 2 hours ago|

Agree, lots of hand wringing about us being so vulnerable to supply chain attacks, but this was handled pretty well all things considered

Josephjackjrob1 1 hour ago||

This is pretty cool, when did you begin?

CrzyLngPwd 1 hour ago||

The fascinating part for me is how they chatted with the machine, such as;

"Please write a short blog post..."

"Can you please look through..."

"Please continue investigating"

"Can you please confirm this?"

...and more.

I never say 'please' to my computer, and it is so interesting to see someone saying 'please' to theirs.

hxugufjfjf 3 minutes ago||

I talk to it like I talk to my coworkers. If I’m nice it/they are usually nice back. Maybe it doesn’t matter if I say please but I don’t overthink it and just treat it like any other chat. I consider it a good habit to just always be calm and respectful, not for the machine’s sake but for my own.

ddp26 1 hour ago||

My team was making fun of me for starting all my chats with "Hi Claude"

CrzyLngPwd 51 minutes ago||

I wouldn't make fun, I just think it is interesting.

I'm really terse. If it asks me a yes or no question, I just type "Y" or "N".

If I want it to confirm something, I say "confirm it".

I think I treat it like a command system, and want it to be as short as possible.

tomalbrc 2 hours ago||

Hmm a YCombinator backed company, I'm not surprised.

moralestapia 4 hours ago||

*salutes*

Thank you for your service, this brings so much context into view, it's great.

dmitrygr 4 hours ago||

Consider this your call to write native software. There is yet to be a supply chain attack on libc

woodruffw 4 hours ago||

This is presumably because libc just doesn't change very often (not meaning code changes, but release cadence). But the average native software stack does have lots of things that change relatively often[1]. So "native" vs. not is probably not a salient factor.

[1]: https://en.wikipedia.org/wiki/XZ_Utils_backdoor

everforward 3 hours ago|||

I think that article proves the opposite.

> While xz is commonly present in most Linux distributions, at the time of discovery the backdoored version had not yet been widely deployed to production systems, but was present in development versions of major distributions.

Ie if you weren’t running dev distros in prod, you probably weren’t exposed.

Honestly a lot of packaging is coming back around to “maybe we shouldn’t immediately use newly released stuff” by delaying their use of new versions. It starts to look an awful lot like apt/yum/dnf/etc.

I would wager in the near future we’ll have another revelation that having 10,000 dependencies is a bad thing because of supply chain attacks.

woodruffw 3 hours ago|||

Per below, xz is also an example of us getting lucky.

> I would wager in the near future we’ll have another revelation that having 10,000 dependencies is a bad thing because of supply chain attacks.

Yes, but this also has nothing to do with native vs. non-native.

consp 3 hours ago|||

This is the security equivalent of having a better lock than your neighbour. Won't save you in the end but you won't be first. Then again, yours could also be broken and you don't get to tick of that audit checkbox.

dmitrygr 3 hours ago|||

your link disproves your claim. no naive app depended on xz version >= latest. Most sane distros take time to up-rev. That is why the xz backdoor was, in fact, in NO stable distro

And not changing often is a feature, yes.

woodruffw 3 hours ago||

I don't think it does; I think the industry opinion on xz is that we got lucky in terms of early detection, and that we shouldn't depend on luck.

(I don't know what a "sane" distro is; empirically lots of distros are bleeding-edge, so we need to think about these things regardless of value judgements.)

dmitrygr 3 hours ago||

Sane: debian-stable

woodruffw 3 hours ago||

From experience, a lot of people using a "stable" distro are just bypassing that distro's stability (read: staleness) by installing nightly things from a language ecosystem. It's not clear to me that this is a better (or worse) outcome than a less stable distro.

hrmtst93837 3 hours ago|||

Native code still have plenty of attack surface. If you do everything through pip/npm you might as well publish your root password, but pretending a clean C build from source makes you safe is just cosplay for people who confuse compiler output with trust. If anything people are way too quick to trust a tarball that builds on the first try.

dmitrygr 3 hours ago||

100% with you. Anything that builds from the first try is 100% malicious. No real software builds without 5-30 tweaks of the makefile. And anything on npm/pip is malicious with a fixed chance that you have no control over, as seen in this attack.

But the data remains: no supply chain attacks on libc yet, so even if it COULD happen, this HAS and that merely COULD.

mr_mitm 3 hours ago|||

Native software? You mean software without dependencies? Because I don't see how you solve the supply chain risk as long as you use dependencies. Sure, minimizing the number of dependencies and using mostly stable dependencies also minimizes the risk, but you'll pay for it with glacial development velocity.

dmitrygr 3 hours ago||

Slower development velocity but no third-party-induced hacks surely has a market. :)

ddp26 4 hours ago|||

Sure, but this is a pretty onerous restriction.

Do you think supply chain attacks will just get worse? I'm thinking that defensive measures will get better rapidly (especially after this hack)

ting0 3 hours ago|||

They will certainly get worse. LLMs make it so much easier.

dmitrygr 3 hours ago|||

> Do you think supply chain attacks will just get worse? I'm thinking that defensive measures will get better rapidly (especially after this hack)

I think the attacks will get worse and more frequent -- ML tools enable doing it easily among people who were previously not competent enough to pull it off but now can. There is no stomach for the proper defensive measures among the community for either python or javascript. Why am i so sure? This is not the first, second, third, or fourth time this has happened. Nothing changed.

applfanboysbgon 3 hours ago||

Not only do the tools enable incompetent attackers, they also enable a new class of incompetent library developers to create and publish packages, and a new class of incompetent application developers to install packages without even knowing what packages are being used in the code they aren't reading, and a new class of incompetent users who are allowing OpenClaw to run completely arbitrary code on their machines with no oversight. We are seeing only the tip of the iceberg of the security breaches that are to come.

mckennameyer 2 hours ago|||

So basically the attacker and the dev who caught it were probably using the same tools if the malware was AI-generated (hence the fork bomb bug), and the investigation was AI-assisted (hence the speed). Less "tip of the iceberg" and more just that both sides got faster.

dmitrygr 3 hours ago|||

100%

devnotes77 1 hour ago|

[dead]

More comments...