Discovered by FutureSearch researcher Callum McMahon, a supply chain attack against LiteLLM on PyPI resulted in over 40 thousand downloads of a compromised version that installed a malicious payload capable of harvesting and exfiltrating sensitive information. LiteLLM is downloaded roughly 3 million times per day.
As Andrej Karpathy noted on X, the malware was capable of exfiltrating SSL and SSH keys, Cloud provider credentials, Kubernetes configurations, Git credentials, API keys, shell history, crypto wallets, and many other kinds of secrets.
As McMahon explains, the attack affected the litellm 1.82.8 package:
It started with my machine stuttering hard, something that really shouldn't be happening on a 48GB Mac. htop taking 10s of seconds to load, CPU pegged at 100%, all signs I'll be working on my local env for a while… After failing to software reset my Mac, I took a final picture for evidence and hard reset.
After promptly reporting the compromised package to the PyPI security team and the LiteLLM maintainers, the affected package was quarantined within approximately 40 minutes. However, the risk extended further, as any packages depending on litellm version 1.82.8 was also indirectly compromised.
According to McMahon, all it took for his system to be compromised was launching a local MCP server through Cursor. This triggered the download of the latest LiteLLM package, which happened to have been compromised just minutes earlier. However, a flaw in the implementation of the malware itself caused the LiteLLM process to recursively fork, eventually bringing McMahon’s system to a complete halt:
The
.pthlauncher spawns a child Python process viasubprocess.Popen, but because.pthfiles trigger on every interpreter startup, the child re-triggers the same.pth— creating an exponential fork bomb that crashed the machine.
Without this mistake in the implementation, the malware would have gone unnoticed for much longer and caused much greater damage, noted Karpathy.
Point Wild, provider of AI-powered cybersecurity, has open-sourced a dependency scanner to help developers assess the impact on their dependencies. The tool, who-touched-my-packages (wtmp), combines behavioral analysis and AI-driven detection to flag zero-day supply-chain threats, going beyond the coverage offered by conventional vulnerability checkers.
FutureSearch released a litellm-checker tool to help package maintainers determine whether their projects were impacted by the supply chain attack.
The LiteLLM team reported that the supply chain attack was enabled by a vulnerability in Trivy, allowing attackers to gain unauthorized access to the LiteLLM publishing pipeline.
For additional details on the supply chain attack and the malicious payload deployed by the malware, see McMahon's original post and Snyk's detailed analysis.