Skills
LiteLLM Supply Chain Attack Postmortem: Poisoned Trivy Security Scanner Exfiltrated PyPI Token, Backdoored 95M Monthly Downloads in 40 Minutes
Snyk published a detailed analysis of the LiteLLM supply chain attack. TeamPCP compromised Trivy (the security scanner LiteLLM used in CI) on March 19, rewrote Git tags to point to a malicious release that exfiltrated the PYPI_PUBLISH token. On March 24, they published litellm 1.82.7 and 1.82.8 — live for 40 minutes before PyPI quarantined them. Version 1.82.8 used a .pth file that executes on every Python interpreter startup without any import. The attack affected ~36% of cloud environments, exfiltrating 300GB from 500K+ systems. Downstream: Mercor lost 4TB of data including API keys and source code. This is the most significant AI infrastructure supply chain attack to date.
Source
↳ Follow the thread