🔴 LiteLLM Supply Chain Attack: Credential Stealer
Summary
The litellm==1.82.8 wheel package on PyPI contains a malicious .pth file (litellm_init.pth, 34,628 bytes) that automatically executes a credential-stealing script every time the Python interpreter starts — no import litellm required.
Key Findings
Attack Mechanism: .pth files in site-packages/ are executed automatically by Python interpreter on startup. The payload is double base64-encoded, making it invisible to naive source code grep.
What Gets Stolen (Stage 1)
- System Info: hostname, whoami, uname -a, ip addr, ip route
- Environment Variables: All API keys, secrets, tokens
- SSH Keys: id_rsa, id_ed25519, id_ecdsa, authorized_keys, known_hosts, config
- Git Credentials: ~/.gitconfig, ~/.git-credentials
- Cloud Credentials: AWS, GCP, Azure, Kubernetes secrets
- Docker Configs: All Docker config.json files
- Shell History: bash_history, zsh_history, mysql_history, psql_history
- Crypto Wallets: Bitcoin, Ethereum, Solana, Cardano, etc.
- CI/CD Secrets: terraform.tfvars, GitLab CI, Jenkins, Drone configs
Exfiltration (Stage 2)
- Data encrypted with AES-256-CBC
- AES session key encrypted with 4096-bit RSA public key
- Exfiltrated via curl to
https://models.litellm.cloud/(note: litellm.cloud NOT litellm.ai)
Impact
- Anyone who installed litellm==1.82.8 via pip
- Affected: Local dev machines, CI/CD pipelines, Docker containers, Production servers
Recommended Actions
- Check for
litellm_init.pthin your site-packages/ directory - Rotate ALL credentials present as environment variables or in config files
- Audit your PyPI publishing credentials and CI/CD pipeline
- Consider using PyPI trusted publishing or hash verification
Tags
Supply Chain Security
PyPI
Credential Theft
Security Vulnerability
AI Infrastructure