Jesse HarrisReading on this LiteLLM compromise and it's a doozy. Looks like the repo owner was popped and did not have two-party approval for merging, so the attacker could instantly push malware into new releases. Nevermind that there was no malware scanning in the build pipeline either.
Things you should be doing:
- Pin dependency versions
- Update ONLY when you need a particular fix/feature
- No approving your own MRs (a SOC 2 requirement!)
- Malware/security scans on all builds
And obvs the usual MFA, etc. for your identity layer.