Malicious code was discovered in the litellm library, which is used to work with LLM models. The infected version could automatically collect access keys, passwords, tokens, and other secrets from a computer or server and send them to attackers.
Malicious code was discovered in the litellm library, which is used to work with LLM models. The infected version could automatically collect access keys, passwords, tokens, and other secrets from a computer or server and send them to attackers.
According to DOU, citing the project team’s GitHub, the dangerous version was the litellm==1.82.8 version published on PyPI. It had a built-in file called litellm_init.pth, which was automatically launched every time Python was started, even if the developer did not import the library itself in the code. This is what makes the incident particularly dangerous: it was enough to simply install the package for the malicious script to start running in the background.
According to the developers of litellm, the malicious code collected not only regular passwords. It also included SSH keys, i.e. files that allow you to log in to servers without manually entering a password, AWS, GCP and Azure credentials, Kubernetes and Docker configs, environment variables with tokens, CI/CD secrets, database accesses, shell history and even private SSL keys. The collected information was then archived, encrypted and sent to the models.litellm.cloud domain, which was disguised as the official infrastructure of the project, although the real litellm website operates on the domain litellm.ai.
The litellm team explicitly called the incident a supply chain compromise. This means that the infection did not occur due to an individual user error, but rather through the package itself, which developers installed as a trusted dependency. This could potentially affect programmers' local machines, CI/CD pipelines, Docker containers, and production servers. Developers were advised to immediately uninstall version 1.82.8, check for the presence of litellm_init.pth, and replace any secrets that might be available on the infected machine.
This is not the first time that an attack has targeted not the final product, but the dependencies that automatically pull in thousands of projects. That is why the story with litellm is important even for those who have never heard of this library: one malicious package in a popular repository can give attackers immediate access to servers, clouds, and internal infrastructure of companies.
Previously, dev.ua wrote about how, according to GitHub Octoverse, the TypeScript programming language (Microsoft’s JavaScript variant) became the most popular language on GitHub and overtook Python.
