Brett Cannon1d ago

RE: https://fosstodon.org/@jni/116287554201659198

I said digital attestations and `pylock.toml` would have helped with the litellm attack. People asked for more details, so I wrote a blog post explaining why. It also hopefully acts at motivation for people to use:

- Trusted publishing
- Digital attestations
- Lock files, and `pylock.toml` specifically

https://snarky.ca/why-pylock-toml-includes-digital-attestations/

So yes, @jni , I have a "human-readable intro" because I wrote one for you (and the other folks asking me questions on the subject). 😁

Show threadFlorian Schulze1d ago
@brettcannon as far as I understand the developer account was compromised and the bad payload was commited to the repository, so trusted publishing would have created a valid release and you wouldn’t have noticed anything. Did I miss something?
Show threadAlyssa Coghlan

@fschulze @brettcannon This particular attack was an exfiltration of a long lived PyPI API key, with packages uploaded from a separate origin. If I understand correctly, there *was* a dev account compromise, but that was of the GitHub Action that was used to perform the key exfiltration (that is, trivy was compromised first, then used to attack LiteLLM et al).

Edit to link the specific analysis my understanding is based on: https://futuresearch.ai/blog/litellm-hack-were-you-one-of-the-47000/

LiteLLM Hack: Were You One of the 47,000?

The litellm 1.82.7 and 1.82.8 supply chain attack on PyPI hit 47,000 downloads in 46 minutes. We analyzed all 2,337 dependent packages - 88% had version specs that allowed the compromised versions.

FutureSearch
Mar 26 at 6:03amMastodon for Android