Post
52
PSA: LiteLLM has been compromised on PyPI - if you have it installed, CHECK NOW.
LiteLLM is used as a dependency in A LOT of AI tooling, so there's a pretty good chance that you have it installed somewhere on your machine (my instance was part of Hermes Agent, but I was unaffected by the hack)
Versions 1.82.7 & 1.82.8 on PyPI have been compromised with a multi-stage credential stealer.
- Version 1.82.8 uses a .pth file that executes on EVERY python process startup. You don't even need to import litellm. Just having it installed is enough.
- The payload harvests SSH keys, .env files, AWS/GCP/Azure credentials, Kubernetes configs, database passwords, crytpo wallets, shell history - basically every secret on your machine.
- Stolen data is encrypted with a hardcoded RSA key and exfiltrated to a domain that is NOT part of a legitimate litellm infrastructure.
- If you're running Kubernetes, it attempts lateral movement across the entire cluster.
- The C2 is hosted on the Internet Computer blockchain, making it essentially impossible to take down.
This is part of a coordinated campaign by a threat actor called TeamPCP who have also hit Trivy (Aqua Security), Checkmarx KICS, and multiple npm packages in the last week ALONE.
What to do:
1. Run 'pip show litellm' in every environment you have
2. If you're on 1.82.7 or 1.82.8 - rotate EVERY secret on that machine immediately.
3. Check for persistence artifacts ~/.config/sysmon/sysmon.py & ~/.config/systemd/user/sysmon.service
I was lucky in this case that my litellm version was out of date, but if you've installed litellm as a dependency in ANY package within the last 24ish hours, you're gonna want to check.
SOURCES
https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/
Same group, different attack a couple of days ago: https://www.stepsecurity.io/blog/canisterworm-how-a-self-propagating-npm-worm-is-spreading-backdoors-across-the-ecosystem
LiteLLM is used as a dependency in A LOT of AI tooling, so there's a pretty good chance that you have it installed somewhere on your machine (my instance was part of Hermes Agent, but I was unaffected by the hack)
Versions 1.82.7 & 1.82.8 on PyPI have been compromised with a multi-stage credential stealer.
- Version 1.82.8 uses a .pth file that executes on EVERY python process startup. You don't even need to import litellm. Just having it installed is enough.
- The payload harvests SSH keys, .env files, AWS/GCP/Azure credentials, Kubernetes configs, database passwords, crytpo wallets, shell history - basically every secret on your machine.
- Stolen data is encrypted with a hardcoded RSA key and exfiltrated to a domain that is NOT part of a legitimate litellm infrastructure.
- If you're running Kubernetes, it attempts lateral movement across the entire cluster.
- The C2 is hosted on the Internet Computer blockchain, making it essentially impossible to take down.
This is part of a coordinated campaign by a threat actor called TeamPCP who have also hit Trivy (Aqua Security), Checkmarx KICS, and multiple npm packages in the last week ALONE.
What to do:
1. Run 'pip show litellm' in every environment you have
2. If you're on 1.82.7 or 1.82.8 - rotate EVERY secret on that machine immediately.
3. Check for persistence artifacts ~/.config/sysmon/sysmon.py & ~/.config/systemd/user/sysmon.service
I was lucky in this case that my litellm version was out of date, but if you've installed litellm as a dependency in ANY package within the last 24ish hours, you're gonna want to check.
SOURCES
https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/
Same group, different attack a couple of days ago: https://www.stepsecurity.io/blog/canisterworm-how-a-self-propagating-npm-worm-is-spreading-backdoors-across-the-ecosystem
