Critical Supply Chain Attack on PyPI: Malicious LiteLLM Versions Compromise Python Ecosystem

midudev
#python #pypi #supply-chain-attack #security #malware

The Python Package Index (PyPI) has been hit by a critical supply chain attack, with malicious versions of the widely used LiteLLM library published and distributed. LiteLLM, a pivotal library in the Python and AI ecosystem with over 41,500 GitHub stars and 3.4 million daily downloads, saw versions 1.82.7 and 1.82.8 injected with sophisticated malware. This malicious code was designed for extensive credential harvesting, capable of exfiltrating system secrets and sensitive data. Crucially, the threat does not require explicit library usage; merely installing the compromised packages could lead to system exposure. The attackers leveraged a .pth file, litlm_init.pth, within the package’s site-packages directory, enabling automatic execution of the malware upon Python interpreter startup, bypassing the need for an import statement.

The attack is suspected to be part of a broader, ongoing campaign by a threat actor dubbed ‘TeamPCP,’ which has reportedly compromised five distinct ecosystems—GitHub Actions, Docker Hub, npm, Open VSX, and PyPI—within a mere ten days. The malware targets a comprehensive range of sensitive information, including environment variables, SSH keys, Git credentials, AWS, Kubernetes, GCP, Azure, Docker secrets, package manager data, shell history, cryptocurrency wallet keys, SSL/TLS certificates, CI/CD secrets, database credentials, and webhook URLs. High-profile entities like DataBricks have already reported infections linked to this campaign. Another related incident involved the Telnx package on PyPI, where malware executed upon import to download and run an embedded executable. Experts warn that stolen credentials are often used selectively over time, suggesting that the full impact of these breaches will unfold gradually. The FBI has cautioned that these incidents are “only the beginning,” underscoring the escalating threat to software supply chains. Users who installed the affected LiteLLM versions are advised to immediately change all credentials and consider a full disk wipe due to the deep system compromise capabilities.