AI Security - Supply Chain Attack Targets LiteLLM Gateway

What Happened

In March 2026, a significant supply chain attack was discovered involving the popular Python library LiteLLM. This multifunctional gateway, widely used in AI applications, was compromised when attackers uploaded malicious versions to the PyPI repository. Specifically, versions 1.82.7 and 1.82.8 were found to contain trojanized code that could infiltrate systems and steal sensitive information. This incident highlights the growing trend of supply chain attacks, where attackers exploit trusted software to deploy malware.

The malicious code was cleverly embedded in two files: proxy_server.py in version 1.82.7 and litellm_init.pth in version 1.82.8. Each version executed the payload differently, allowing the malware to remain undetected while it carried out its malicious activities. The implications of this attack are severe, affecting numerous organizations that rely on LiteLLM for their AI operations.

Who's Being Targeted

The primary targets of this attack were servers containing confidential data related to various services, including AWS, Kubernetes, and databases like MySQL and PostgreSQL. The attackers aimed to extract sensitive configurations and credentials, which could grant them unauthorized access to critical infrastructure. Additionally, the malware sought to steal information from crypto wallets and communication channels within development teams, such as Slack and Discord.

The victimology of this attack spans globally, with significant infection attempts reported in countries like Russia, China, Brazil, the Netherlands, and the UAE. This broad impact emphasizes the risk posed by such supply chain vulnerabilities, as they can affect organizations across various sectors.

Technical Analysis

The malicious payload executed a series of operations once it infiltrated a system. It began by scanning directories for sensitive information, including SSH keys, GIT accounts, and configuration files for various services. Notably, the malware did not just target static secrets but also attempted to extract runtime secrets from cloud environments, specifically targeting AWS Instance Metadata Service addresses.

Furthermore, the malware was designed to establish a foothold in Kubernetes clusters. If it gained sufficient access, it could configure a privileged pod and execute scripts that allowed for ongoing access to the infrastructure. This persistence mechanism ensured that even if the initial container was terminated, the attackers could maintain their presence and continue to deliver payloads.

What You Should Do

Organizations using LiteLLM or similar libraries should take immediate action to protect themselves. First, ensure that you are using the latest, untainted versions of any software libraries. Regularly audit your systems for unauthorized changes and monitor for unusual activity, especially in cloud environments.

Implementing robust security practices, such as multi-factor authentication and least privilege access, can help mitigate the risks associated with such attacks. Additionally, consider using security tools that can detect anomalies in behavior, especially in environments that utilize Kubernetes and cloud services. Staying informed about vulnerabilities and threats in your software supply chain is crucial for maintaining security in today’s digital landscape.