Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised
About an hour ago new versions have been deployed to PyPI. I was just setting up a new project, and things behaved weirdly. My laptop ran out of RAM, it looked like a forkbomb was running. I've investigated, and found that a base64 encoded blob has been added to proxy_server.py. It writes and decodes another file which it then runs. I'm in the process of reporting this upstream, but wanted to give everyone here a headsup. It is also reported in this issue: https://github.com/BerriAI/litellm/issues/24512
Discussion Highlights (20 comments)
bfeynman
pretty horrifying. I only use it as lightweight wrapper and will most likely move away from it entirely. Not worth the risk
iwhalen
What is happening in this issue thread? Why are there 100+ satisfied slop comments?
kevml
More details here: https://futuresearch.ai/blog/litellm-pypi-supply-chain-attac...
cpburns2009
You can see it for yourself here: https://inspector.pypi.io/project/litellm/1.82.8/packages/fd...
bratao
Look like the Founder and CTO account has been compromised. https://github.com/krrishdholakia
deep_noz
good i was too lazy to bump versions
hiciu
Besides main issue here, and the owners account being possibly compromised as well, there's like 170+ low quality spam comments in there. I would expect better spam detection system from GitHub. This is hardly acceptable.
nickspacek
teampcp taking credit? https://github.com/krrishdholakia/blockchain/commit/556f2db3... - # blockchain - Implements a skeleton framework of how to mine using blockchain, including the consensus algorithms. + teampcp owns BerriAI
rgambee
Seems that the GitHub account of one of the maintainers has been fully compromised. They closed the GitHub issue for this problem. And all their personal repos have been edited to say "teampcp owns BerriAI". Here's one example: https://github.com/krrishdholakia/blackjack_python/commit/8f...
rgambee
Looking forward to a Veritasium video about this in the future, like the one they recently did about the xz backdoor.
TZubiri
Thank you for posting this, interesting. I hope that everyone's course of action will be uninstalling this package permanently, and avoiding the installation of packages similar to this. In order to reduce supply chain risk not only does a vendor (even if gratis and OS) need to be evaluated, but the advantage it provides. Exposing yourself to supply chain risk for an HTTP server dependency is natural. But exposing yourself for is-odd, or whatever this is, is not worth it. Remember that you are programmers and you can just program, you don't need a framework, you are already using the API of an LLM provider, don't put a hat on a hat, don't get killed for nothing. And even if you weren't using this specific dependency, check your deps, you might have shit like this in your requirements.txt and was merely saved by chance. An additional note is that the dev will probably post a post-mortem, what was learned, how it was fixed, maybe downplay the thing. Ignore that, the only reasonable step after this is closing a repo, but there's no incentive to do that.
sschueller
Does anyone know a good alternate project that works similarly (share multipple LLMs across a set of users)? LiteLLM has been getting worse and trying to get me to upgrade to a paid version. I also had issues with creating tokens for other users etc.
postalcoder
This is a brutal one. A ton of people use litellm as their gateway.
mikert89
Wow this is in a lot of software
Imustaskforhelp
Our modern economy/software industry truly runs on egg-shells nowadays that engineers accounts are getting hacked to create a supply-chain attack all at the same time that threat actors are getting more advanced partially due to helps of LLM's. First Trivy (which got compromised twice), now LiteLLM.
6thbit
title is bit misleading. The package was directly compromised, not “by supply chain attack”. If you use the compromised package, your supply chain is compromised.
intothemild
I just installed Harbor, and it instantly pegged my cpu.. i was lucky to see my processes before the system hard locked. Basically it forkbombed `grep -r rpcuser\rpcpassword` processes trying to find cryptowallets or something. I saw that they spawned from harness, and killed it. Got lucky, no backdoor installed here from what i could make out of the binary
chillfox
Now I feel lucky that I switched to just using OpenRouter a year ago because LiteLLM was incredible flaky and kept causing outages.
gkfasdfasdf
Someone needs to go to prison for this.
6thbit
Worth exploring safeguard for some: The automatic import can be suppressed using Python interpreter’s -S option. This would also disable site import so not viable generically for everyone without testing.