Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised (github.com)
About an hour ago new versions have been deployed to PyPI.
I was just setting up a new project, and things behaved weirdly. My laptop ran out of RAM, it looked like a forkbomb was running.
I've investigated, and found that a base64 encoded blob has been added to proxy_server.py.
It writes and decodes another file which it then runs.
I'm in the process of reporting this upstream, but wanted to give everyone here a headsup.
It is also reported in this issue: https://github.com/BerriAI/litellm/issues/24512
173 comments
[ 2.9 ms ] story [ 235 ms ] threadhttps://inspector.pypi.io/project/litellm/1.82.8/packages/fd...
I would expect better spam detection system from GitHub. This is hardly acceptable.
https://github.com/krrishdholakia/blockchain/commit/556f2db3...
I hope that everyone's course of action will be uninstalling this package permanently, and avoiding the installation of packages similar to this.
In order to reduce supply chain risk not only does a vendor (even if gratis and OS) need to be evaluated, but the advantage it provides.
Exposing yourself to supply chain risk for an HTTP server dependency is natural. But exposing yourself for is-odd, or whatever this is, is not worth it.
Remember that you are programmers and you can just program, you don't need a framework, you are already using the API of an LLM provider, don't put a hat on a hat, don't get killed for nothing.
And even if you weren't using this specific dependency, check your deps, you might have shit like this in your requirements.txt and was merely saved by chance.
An additional note is that the dev will probably post a post-mortem, what was learned, how it was fixed, maybe downplay the thing. Ignore that, the only reasonable step after this is closing a repo, but there's no incentive to do that.
First Trivy (which got compromised twice), now LiteLLM.
The package was directly compromised, not “by supply chain attack”.
If you use the compromised package, your supply chain is compromised.
Basically it forkbombed `grep -r rpcuser\rpcpassword` processes trying to find cryptowallets or something. I saw that they spawned from harness, and killed it.
Got lucky, no backdoor installed here from what i could make out of the binary
This would also disable site import so not viable generically for everyone without testing.
https://ramimac.me/trivy-teampcp/#phase-09