In hindsight: a bad choice of a hero message
If you haven't heard, two versions of LiteLLM got hacked yesterday (1.82.7 and 1.82.8)
Live on PyPI for 3 hours. Downloaded 3.4 million times per day.
Stole SSH keys, AWS credentials, Kubernetes secrets, API keys, Docker registry credentials, and crypto wallet seed phrases.
How it happened:
Attackers compromised Trivy (a security scanner) first. When LiteLLM's CI ran Trivy, it leaked their PyPI token. With that token, they published the poisoned versions.
Worst part: version 1.82.8 used a .pth file. The malicious code ran every time Python started. Even when you just ran pip.
There's a few articles popping up about this. Quite a huge deal, as MANY agent toolkits (even one I'm making in a personal project) use LiteLLM behind the scenes.
If you installed either version:
1. Check for backdoors at ~/.config/sysmon/sysmon.py
2. Rotate every credential on that machine
3. Check for suspicious pods: kubectl get pods -A | grep node-setup-
Safe version: anything ≤ 1.82.6
Jake Manger