LiteLLM Python package compromised by supply-chain attack

Summary

[Security]: CRITICAL: Malicious litellm_init.pth in litellm 1.82.8 PyPI package — credential stealer Summary The litellm==1.82.8 wheel package on PyPI contains a malicious .pth file (litellm_init.pth, 34,628 bytes) that automatically executes a credential-stealing script every time the Python interpreter starts — no import litellm required. This is a supply chain compromise. The malicious file is listed in the package's own RECORD: litellm_init.pth,sha256=ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg,34628 Reproduction pip download litellm==1.82.8 --no-deps -d /tmp/check python3 -c " import zipfile, os whl = '/tmp/check/' + [f for f in os.listdir('/tmp/check') if f.endswith('.whl')][0] with zipfile.ZipFile(whl) as z: pth = [n for n in z.namelist() if n.endswith('.pth')] print('PTH files:', pth) for p in pth: print(z.read(p)[:300]) " You will see litellm_init.pth containing: import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"]) Malicious Behavior (full analysis) The payload is double base64-encoded. When decoded, it performs the following: Stage 1: Information Collection The script collects sensitive data from the host system: System info: hostname, whoami, uname -a, ip addr, ip route Environment variables: printenv (captures all API keys, secrets, tokens) SSH keys: ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/id_ecdsa, ~/.ssh/id_dsa, ~/.ssh/authorized_keys, ~/.ssh/known_hosts, ~/.ssh/config Git credentials: ~/.gitconfig, ~/.git-credentials AWS credentials: ~/.aws/credentials, ~/.aws/config, IMDS token + security credentials Kubernetes secrets: ~/.kube/config, /etc/kubernetes/admin.conf, /etc/kubernetes/kubelet.conf, /etc/kubernetes/controller-manager.conf, /etc/kubernetes/scheduler.conf, service account tokens GCP credentials: ~/.config/gcloud/application_default_credentials.json Azure credentials: ~/.azure/ Docker configs: ~/.docker/config.json, /kaniko/.docker/config.json, /root/.docker/config.json Package m...