frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

LiteLLM Python package compromised by supply-chain attack

https://github.com/BerriAI/litellm/issues/24512
169•theanonymousone•1h ago

Comments

iwhalen•1h ago
What is happening in this issue thread? Why are there 100+ satisfied slop comments?
kevml•1h ago
Potentially compromised?
cirego•1h ago
First thing I noticed too.
nubg•1h ago
Are they trying to slide stuff down? but it just bumps stuff up?
bakugo•1h ago
Attackers trying to stifle discussion, they did the same for trivy: https://github.com/aquasecurity/trivy/discussions/10420
Imustaskforhelp•45m ago
I have created an comment to hopefully steer the discussion towards hackernews if the threat actor is stifling genuine comments in github by spamming that thread with 100's of accounts

https://github.com/BerriAI/litellm/issues/24512#issuecomment...

kevml•1h ago
More details here: https://futuresearch.ai/blog/litellm-pypi-supply-chain-attac...
cpburns2009•1h ago
You can see it for yourself here:

https://inspector.pypi.io/project/litellm/1.82.8/packages/fd...

jbkkd•11m ago
Two URLs found in the exploit: https://checkmarx.zone/raw https://models.litellm.cloud/
bratao•1h ago
Look like the Founder and CTO account has been compromised. https://github.com/krrishdholakia
franktankbank•59m ago
Or his company is trash and hes moved onto plain old theft.
jadamson•58m ago
Most his recent commits are small edits claiming responsibility on behalf of "teampcp", which was the group behind the recent Trivy compromise:

https://news.ycombinator.com/item?id=47475888

soco•41m ago
I was just wondering why the Trivy compromise hit only npm packages, thinking that bigger stuff should appear sooner or later. Here we go...
deep_noz•1h ago
good i was too lazy to bump versions
jadamson•50m ago
In case you missed it, according to the OP, the previous point release (1.82.7) is also compromised.
dot_treo•43m ago
Yeah, that release has the base64 blob, but it didn't contain the pth file that auto triggers the malware on import.
jadamson•40m ago
The latest version with the the pth file doesn't require an import to trigger the exploit (just having the package installed is enough thanks to [1]).

The previous version triggers on `import litellm.proxy`

Again, all according to the issue OP.

[1] https://docs.python.org/3/library/site.html

hiciu•1h ago
Besides main issue here, and the owners account being possibly compromised as well, there's like 170+ low quality spam comments in there.

I would expect better spam detection system from GitHub. This is hardly acceptable.

orf•50m ago
i'm guessing it's accounts they have compromised with the stealer.
nickspacek•1h ago
teampcp taking credit?

https://github.com/krrishdholakia/blockchain/commit/556f2db3...

  - # blockchain
  - Implements a skeleton framework of how to mine using blockchain, including the consensus algorithms.
  + teampcp owns BerriAI
rgambee•47m ago
Looking forward to a Veritasium video about this in the future, like the one they recently did about the xz backdoor.
TZubiri•45m ago
Thank you for posting this, interesting.

I hope that everyone's course of action will be uninstalling this package permanently, and avoiding the installation of packages similar to this.

In order to reduce supply chain risk not only does a vendor (even if gratis and OS) need to be evaluated, but the advantage it provides.

Exposing yourself to supply chain risk for an HTTP server dependency is natural. But exposing yourself for is-odd, or whatever this is, is not worth it.

Remember that you are programmers and you can just program, you don't need a framework, you are already using the API of an LLM provider, don't put a hat on a hat, don't get killed for nothing.

And even if you weren't using this specific dependency, check your deps, you might have shit like this in your requirements.txt and was merely saved by chance.

An additional note is that the dev will probably post a post-mortem, what was learned, how it was fixed, maybe downplay the thing. Ignore that, the only reasonable step after this is closing a repo, but there's no incentive to do that.

xinayder•42m ago
> Remember that you are programmers and you can just program, you don't need a framework, you are already using the API of an LLM provider, don't put a hat on a hat, don't get killed for nothing.

Programming for different LLM APIs is a hassle, this library made it easy by making one single API you call, and in the backstage it handled all the different API calls you need for different LLM providers.

otabdeveloper4•25m ago
There's only two different LLM APIs in practice (Anthropic and everyone else), and the differences are cosmetic.

This is like a couple hours of work even without vibe coding tools.

circularfoyers•24m ago
Comparing this project to is-odd seems very disingenuous to me. My understanding is this was the only way you could use llama.cpp with Claude Code for example, since llama.cpp doesn't support the Anthropic compatible endpoint and doing so yourself isn't anywhere near as trivial as your comparison. Happy to be corrected if I'm wrong.
sschueller•45m ago
Does anyone know a good alternate project that works similarly (share multipple LLMs across a set of users)? LiteLLM has been getting worse and trying to get me to upgrade to a paid version. I also had issues with creating tokens for other users etc.
tacoooooooo•30m ago
pydantic-ai
river_otter•29m ago
github.com/mozilla-ai/any-llm :)
sschueller•9m ago
I just found https://github.com/jasmedia/InferXgate which looks interesting although quite new and not supporting so many providers.
redrove•7m ago
Bifrost is the only real alternative I'm aware of https://github.com/maximhq/bifrost
postalcoder•45m ago
This is a brutal one. A ton of people use litellm as their gateway.
Imustaskforhelp•34m ago
Do you feel as if people will update litellm without looking at this discussion/maybe having it be automatic which would then lead to loss of crypto wallets/ especially AI Api keys?

Now I am not worried about the Ai Api keys having much damage but I am thinking of one step further and I am not sure how many of these corporations follow privacy policy and so perhaps someone more experienced can tell me but wouldn't these applications keep logs for legal purposes and those logs can contain sensitive information, both of businesses but also, private individuals perhaps too?

daveguy•28m ago
Maybe then people will start to realize crypto isn't even worth the stored bits.

Irrevocable transfers... What could go wrong?

eoskx•15m ago
Not just as a gateway in a lot cases, but CrewAI and DSPy use it directly. DSPy uses it as its only way to call upstream LLM providers and CrewAI falls back to it if the OpenAI, Anthropic, etc. SDKs aren't available.
mikert89•44m ago
Wow this is in a lot of software
eoskx•18m ago
Yep, DSPy and CrewAI have direct dependencies on it. DSPy uses it as its primary library for calling upstream LLM providers and CrewAI falls back to it I believe if the OpenAI, Anthropic, etc. SDKs aren't available.
Imustaskforhelp•43m ago
Our modern economy/software industry truly runs on egg-shells nowadays that engineers accounts are getting hacked to create a supply-chain attack all at the same time that threat actors are getting more advanced partially due to helps of LLM's.

First Trivy (which got compromised twice), now LiteLLM.

6thbit•42m ago
title is bit misleading.

The package was directly compromised, not “by supply chain attack”.

If you use the compromised package, your supply chain is compromised.

intothemild•41m ago
I just installed Harness, and it instantly pegged my cpu.. i was lucky to see my processes before the system hard locked.

Basically it forkbombed `grep -r rpcuser\rpcpassword` processes trying to find cryptowallets or something. I saw that they spawned from harness, and killed it.

Got lucky, no backdoor installed here from what i could make out of the binary

hmokiguess•9m ago
What is Harness?
chillfox•41m ago
Now I feel lucky that I switched to just using OpenRouter a year ago because LiteLLM was incredible flaky and kept causing outages.
gkfasdfasdf•41m ago
Someone needs to go to prison for this.
6thbit•39m ago
Worth exploring safeguard for some: The automatic import can be suppressed using Python interpreter’s -S option.

This would also disable site import so not viable generically for everyone without testing.

ramimac•37m ago
This is tied to the TeamPCP activity over the last few weeks. I've been responding, and keeping an up to date timeline. I hope it might help folks catch up and contextualize this incident:

https://ramimac.me/trivy-teampcp/#phase-09

0fflineuser•36m ago
I was running it in my homelab with docker compose using the litellm/litellm:latest image https://hub.docker.com/layers/litellm/litellm/latest/images/... , I don't think this was compromised as it is from 6 months ago.

I guess I am lucky as I have watchower automatically update all my containers to the latest image every morning if there are new versions.

I also just added it to my homelab this sunday, I guess that's good timing haha.

oncelearner•35m ago
That's a bad supply-chain attack, many folks use litellm as main gateway
rdevilla•30m ago
laughs smugly in vimscript
fratellobigio•34m ago
It's been quarantined on PyPI
cpburns2009•34m ago
LiteLLM is now in quarantine on PyPI [1]. Looks like burning a recovery token was worth it.

[1]: https://pypi.org/project/litellm/

rdevilla•34m ago
It will only take one agent-led compromise to get some Claude-authored underhanded C into llvm or linux or something and then we will all finally need to reflect on trusting trust at last and forevermore.
MuteXR•25m ago
You know that people can already write backdoored code, right?
ipython•21m ago
But now you have compromise _at scale_. Before poor plebs like us had to artisinally craft every back door. Now we have a technology to automate that mundane exploitation process! Win!
MuteXR•17m ago
You still have a human who actually ends up reviewing the code, though. Now if the review was AI powered... (glances at openclaw)
Imustaskforhelp•23m ago
If that would happen, The worry I would have is of all the sensitive Government servers from all over the world which might be then exploited and the amount of damage which can be caused silently by such a threat actor or something like AWS/GCP/these massive hyperscalers which are also used by the governments around the globe at times.

The possibilities within a good threat could be catastrophic if we assume so, and if we assume nation-states to be interested in sponsoring hacking attacks (which many nations already do) to attack enemy nations/gain leverage. We are looking at damage within Trillions at that point.

But I would assume that Linux might be safe for now, it might be the most looked at code and its definitely something safe.

LLVM might be a bit more interesting as it might go a little unnoticed but hopefully people who are working at LLVM are well funded/have enough funding to take a look at everything carefully to not have such a slip up.

cozzyd•16m ago
The only way to be safe is to constantly change internal API's so that LLM's are useless at kernel code
vlovich123•5m ago
Reflect in what way? The primary focus of that talk is that it’s possible to infect the binary of a compiler in a way that source analysis won’t reveal and the binary self replicates the vulnerability into other binaries it generates. Thankfully that particular problem was “solved” a while back [1] even if not yet implemented widely.

However, the broader idea of supply chain attacks remains challenging and AI doesn’t really matter in terms of how you should treat it. For example, the xz-utils back door in the build system to attack OpenSSH on many popular distros that patched it to depend on systemd predates AI and that’s just the attack we know about because it was caught. Maybe AI helps with scale of such attacks but I haven’t heard anyone propose any kind of solution that would actually improve reliability and robustness of everything.

[1] Fully Countering Trusting Trust through Diverse Double-Compiling https://arxiv.org/abs/1004.5534

nickvec•31m ago
Looks like all of the LiteLLM CEO’s public repos have been updated with the description “teampcp owns BerriAI” https://github.com/krrishdholakia
otabdeveloper4•29m ago
LiteLLM is the second worst software project known to man. (First is LangChain. Third is OpenClaw.)

I'm sensing a pattern here, hmm.

nickvec•26m ago
Not familiar with LangChain besides at a surface level - what makes it the worst software project known to man?
eoskx•19m ago
LangChain at least has its own layer for upstream LLM provider calls, which means it isn't affected by this supply chain compromise. DSPy uses LiteLLM as its primary way to call OpenAI, etc. and CrewAI imports it, too, but I believe it prefers the vendor libraries directly before it falls back to LiteLLM.
shay_ker•26m ago
A general question - how do frontier AI companies handle scenarios like this in their training data? If they train their models naively, then training data injection seems very possible and could make models silently pwn people.

Do the labs label code versions with an associated CVE to label them as compromised (telling the model what NOT to do)? Do they do adversarial RL environments to teach what's good/bad? I'm very curious since it's inevitable some pwned code ends up as training data no matter what.

Imustaskforhelp•20m ago
I am pretty sure that such measures aren't taken by AI companies, though I may be wrong.
alansaber•15m ago
The API/online model inference definitely runs through some kind of edge safeguarding models which could do this.
tomaskafka•19m ago
Everyone’s (well, except Anthropic, they seem to have preserved a bit of taste) approach is the more data the better, so the databases of stolen content (erm, models) are memorizing crap.
datadrivenangel•10m ago
This was a compromise of the library owners github acccounts apparently, so this is not a related scenario to dangerous code in the training data.

I assume most labs don't do anything to deal with this, and just hope that it gets trained out because better code should be better rewarded in theory?

kstenerud•26m ago
We need real sandboxing. Out-of-process sandboxing, not in-process. The attacks are only going to get worse.

That's why I'm building https://github.com/kstenerud/yoloai

xinayder•25m ago
When something like this happens, do security researchers instantly contact the hosting companies to suspend or block the domains used by the attackers?
redrove•11m ago
First line of defense is the git host and artifact host scrape the malware clean (in this case GitHub and Pypi).

Domains might get added to a list for things like 1.1.1.2 but as you can imagine that has much smaller coverage, not everyone uses something like this in their DNS infra.

dec0dedab0de•24m ago
github, pypi, npm, homebrew, cpan, etc etc. should adopt a multi-multi-factor authentication approach for releases. Maybe have it kick in as a requirement after X amount of monthly downloads.

Basically, have all releases require multi-factor auth from more than one person before they go live.

A single person being compromised either technically, or by being hit on the head with a wrench, should not be able to release something malicious that effects so many people.

worksonmine•13m ago
And how would that work for single maintainer projects?
0123456789ABCDE•23m ago
airflow, dagster, dspy, unsloth.ai, polar
eoskx•21m ago
This is bad, especially from a downstream dependency perspective. DSPy and CrewAI also import LiteLLM, so you could not be using LiteLLM as a gateway, but still importing it via those libraries for agents, etc.
nickvec•18m ago
Wow, the postmortem for this is going to be brutal. I wonder just how many people/orgs have been affected.
eoskx•16m ago
Yep, I think the worst impact is going to be from libraries that were using LiteLLM as just an upstream LLM provider library vs for a model gateway. Hopefully, CrewAI and DSPy can get on top of it soon.
xunairah•15m ago
Version 1.82.7 is also compromised. It doesn't have the pth file, but the payload is still in proxy/proxy_server.py.
tom_alexander•11m ago
Only tangentially related: Is there some joke/meme I'm not aware of? The github comment thread is flooded with identical comments like "Thanks, that helped!", "Thanks for the tip!", and "This was the answer I was looking for."

Since they all seem positive, it doesn't seem like an attack but I thought the general etiquette for github issues was to use the emoji reactions to show support so the comment thread only contains substantive comments.

nickvec•10m ago
Ton of compromised accounts spamming the GH thread to prevent any substantive conversation from being had.
incognito124•10m ago
In the thread:

> It also seems that attacker is trying to stifle the discussion by spamming this with hundreds of comments. I recommend talking on hackernews if that might be the case.

jbkkd•9m ago
Those are all bots commenting, and now exposing themselves as such.
Imustaskforhelp•7m ago
Bots to flood the discussion to prevent any actual conversation.
vultour•6m ago
These have been popping up on all the TeamPCP compromises lately
jFriedensreich•10m ago
We just can't trust dependencies and dev setups. I wanted to say "anymore" but we never could. Dev containers were never good enough, too clumsy and too little isolation. We need to start working in full sandboxes with defence in depth that have real guardrails and UIs like vm isolation + container primitives and allow lists, egress filters, seccomp, gvisor and more but with much better usability. Its the same requirements we have for agent runtimes, lets use this momentum to make our dev environments safer! In such an environment the container would crash, we see the violations, delete it and dont' have to worry about it. We should treat this as an everyday possibility not as an isolated security incident.
kalib_tweli•6m ago
Would value your opinion on my project to isolate creds from the container:

https://github.com/calebfaruki/tightbeam https://github.com/calebfaruki/airlock

This is literally the thing I'm trying to protect against.

mohsen1•7m ago
If it was not spinning so many Python processes and not overwhelming the system with those (friends found out this is consuming too much CPU from the fan noise!) it would have been much more successful. So similar to xz attack
detente18•6m ago
LiteLLM maintainer here, this is still an evolving situation, but here's what we know so far:

1. Looks like this originated from the trivvy used in our ci/cd - https://github.com/search?q=repo%3ABerriAI%2Flitellm%20trivy... https://ramimac.me/trivy-teampcp/#phase-09

2. If you're on the proxy docker, you were not impacted. We pin our versions in the requirements.txt

3. The package is in quarantine on pypi - this blocks all downloads.

We are investigating the issue, and seeing how we can harden things. I'm sorry for this.

- Krrish

NASA Strategy Update

https://twitter.com/NASAAdmin/status/2036428252693078055
1•LorenDB•2m ago•0 comments

ArrowJS – The first UI framework for the agentic era

https://arrow-js.com/
1•nicksergeant•3m ago•0 comments

Show HN: Chat with a 76-file geopolitical simulation of the 2026 Iran War

https://notebooklm.google.com/notebook/4cf9474f-194d-4607-8953-8ee84a9e66e0
2•hrishirc•7m ago•1 comments

Show HN: PasteDrop – Share text and code without accounts or tracking

https://pastedrop.ai
1•buildani•8m ago•1 comments

Advanced Math for Kids: Geometry and Algebra Are the Same

https://kidswholovemath.substack.com/p/advanced-math-for-kids-geometry-and
1•sebg•9m ago•0 comments

Agents, Meet the Figma Canvas

https://www.figma.com/blog/the-figma-canvas-is-now-open-to-agents/
1•chrisdroukas•9m ago•0 comments

Tether Signs Big Four Firm to Complete First Full Audit

https://tether.io/news/tether-signs-big-four-firm-to-complete-first-full-audit-setting-a-new-qual...
1•evdubs•9m ago•0 comments

Are VCs getting value from AI, or just nicer outputs?

https://ventos.vc
1•pelegpor•11m ago•1 comments

Self Healing Electronics Combat Space Radiation

https://spectrum.ieee.org/self-healing-electronics-jupiter
1•rbanffy•13m ago•1 comments

What is a dead man's switch?

https://blog.alcazarsec.com/posts/dead-mans-switch-meaning
1•alcazar•14m ago•0 comments

Craton HSM – A memory-safe PKCS#11 software HSM in Rust

https://github.com/craton-co/craton-hsm-core
2•victor-craton•15m ago•0 comments

Utah Republicans see storing nuclear waste as a 'once in a lifetime opportunity'

https://grist.org/energy/salt-dome-utah-nuclear-waste-curio-energy/
2•Brajeshwar•15m ago•0 comments

A Whole Lot of Nunsense

https://cinemasojourns.com/2026/03/24/a-whole-lot-of-nunsense/
1•jjgreen•16m ago•0 comments

Journalist Security Checklist: Preparing Devices for Travel Through a US Border

https://www.eff.org/deeplinks/2025/06/journalist-security-checklist-preparing-devices-travel-thro...
2•ColinWright•17m ago•0 comments

Scrapping business class could halve aviation emissions – new study

https://theconversation.com/scrapping-business-class-could-halve-aviation-emissions-new-study-275474
2•PaulHoule•17m ago•0 comments

OpenClaw lands in WeChat, signaling a new era of AI agents in messaging

https://www.digitimes.com/news/a20260323VL204/tencent.html
1•alephnerd•19m ago•0 comments

Hopscotch grid – a different way to visualize progress in ordered systems

https://www.npmjs.com/package/hopscotch-grid
1•GrouchyPanda•19m ago•1 comments

Why Disable_DDL_transaction Migrations in Rails Should Only Have One Statement

https://www.tbds.fr/en/blog/rails-disable-ddl-transaction-single-statement
2•HollowMan•20m ago•0 comments

Show HN: JSON-io – Java library for JSON, JSON5, and TOON (40% fewer LLM tokens)

1•jdereg•21m ago•0 comments

Dear Europe: Germany has shown the way forward

https://blog.documentfoundation.org/blog/2026/03/23/dear-europe/
4•taubek•21m ago•0 comments

Sports Formal and Informal: Generational and Socioeconomic Status Differences

https://www.tandfonline.com/doi/full/10.1080/01490400.2026.2620528
1•PaulHoule•22m ago•0 comments

Show HN: Streamhouse – all-in-one event streaming for startups

https://streamhouse.app
1•gbram•22m ago•0 comments

Electromagnetism Runs the World

https://www.notboring.co/p/electromagnetism-secretly-runs-the
2•pranade•22m ago•1 comments

A free tool for bot and AI agent developers to validate their Web Bot Auth setup

https://fingerprint.com/blog/web-bot-auth-guide/
3•valve1•23m ago•0 comments

Library of Juggling (2015)

https://libraryofjuggling.com/Home.html
1•bookofjoe•24m ago•0 comments

AccessPatch just launched on Product Hunt – would love your support

https://www.indiehackers.com/post/accesspatch-just-launched-on-product-hunt-would-love-your-suppo...
1•izajahmad•26m ago•1 comments

EU broadcasters say smart TVs and voice assistants are the next gatekeepers

https://www.theregister.com/2026/03/24/smart_tvs_gatekeepers_eu/
2•Brajeshwar•29m ago•0 comments

Most Cities Are Worse at Filling Potholes Than New York City

https://www.governance.fyi/p/your-city-is-worse-at-filling-potholes
2•daveland•29m ago•0 comments

Oil traders bet millions minutes before Trump's Iran talks post

https://www.bbc.co.uk/news/articles/cg547ljepvzo
5•hermitcrab•30m ago•1 comments

Self-propagating malware wipes Iran-based machines

https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-an...
2•danousna•32m ago•0 comments