Two versions of LiteLLM, an open source interface for accessing multiple large language models, have been removed from the Python Package Index (PyPI) following a supply chain attack that injected them with malicious credential-stealing code.

Specifically, LiteLLM v1.82.7 and v1.82.8 have been taken down because they contain credential-stealing code in a component file, litellm_init.pth.

Krrish Dholakia, CEO of Berri AI, which maintains LiteLLM, said in an online post that the compromise appears to have originated from the use of Trivy in the project's CI/CD pipeline.

Trivy is an open source vulnerability scanner maintained by Aqua Security that many other projects include as a security measure. The malware campaign began in late February, when the attackers took advantage of a misconfiguration in Trivy's GitHub Actions environment to steal a privileged access token that allowed the manipulation of CI/CD, according to Aqua Security.

The software was subverted on March 19, when attackers referred to as TeamPCP used compromised credentials to publish a malicious Trivy release (v0.69.4), and again on March 22, when malicious Trivy versions v0.69.5 and v0.69.6 were published as DockerHub images.

But Aqua Security explains that the approach taken by the attackers was more sophisticated than just uploading a new malicious version of Trivy.

"By modifying existing version tags associated with [the GitHub Action script] trivy-action, they injected malicious code into workflows that organizations were already running," the company said. "Because many CI/CD pipelines rely on version tags rather than pinned commits, these pipelines continued to execute without any indication that the underlying code had changed."

• Telling an AI model that it's an expert programmer makes it a worse programmer
• Mozilla introduces cq, describing it as 'Stack Overflow for agents'
• SAP already shifting focus from ERP migration disaster in pursuit of AI-driven growth
• Remote or not, workers are drifting back toward the city

Dholakia said that LiteLLM's PYPI_PUBLISH token, stored in the project's GitHub repo as an .env variable, got sent to Trivy, where attackers got ahold of it, then used it to push new LiteLLM code.

"We have deleted all our PyPI publishing tokens," he said. "Our accounts had 2fa, so it's a bad token here. We're reviewing our accounts, to see how we can make it more secure (trusted publishing via JWT tokens, move to a different PyPI account, etc.)."

In another twist, the GitHub vulnerability report appears to have been targeted with a spam attack designed to distract and obscure useful comments about the report. At 05:44 AM PDT, dozens of presumably AI-generated variations of "Thanks, that helped!" flooded the repo. According to security researcher Rami McCarthy, 19 of the 25 accounts used to post were also used in the Trivy spam campaign.

The Python Packaging Authority (PyPA) has published a security advisory about the LiteLLM compromise.

"Anyone who has installed and run the project should assume any credentials available to [the] LiteLLM environment may have been exposed, and revoke/rotate them accordingly," the advisory says. ®

More about

• AI
• Python
• Security