Home
News
Details

litellm suffers PyPI supply chain attack; sensitive credentials at risk

iconChaincatcher
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
Litellm suffered a PyPI supply chain attack, exposing sensitive credentials such as SSH keys and Kubernetes configurations. The malicious package, which was downloaded 97 million times per month, was removed after causing system crashes. The incident highlights how reentrancy attack-style exploits can propagate through on-chain data and third-party dependencies. Developers are urged to audit their dependencies and secure access to cloud and infrastructure keys.

ChainCatcher report: Andrej Karpathy posted on X that litellm suffered a PyPI supply chain attack—simply running `pip install litellm` could steal SSH keys, AWS/GCP/Azure credentials, Kubernetes configurations, Git credentials, environment variables, crypto wallets, SSL private keys, CI/CD secrets, and database passwords. Litellm receives 97 million monthly downloads, and the risk extends to all projects depending on litellm, such as dspy. The malicious version was live for less than an hour before being discovered due to a flaw in the attack code that caused Callum McMahon’s machine to crash from memory exhaustion. Andrej Karpathy stated that supply chain attacks are among the most serious threats in modern software, as every dependency installation could introduce tampered packages deep within the dependency tree; as a result, he is increasingly inclined to reduce dependencies and instead use LLMs to directly implement simple functionalities.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.