π―LiteLLM, a tool for using AI models, was hacked. When users installed the latest versions, bad code was included that could steal their passwords just by starting Python. Users need to change their passwords quickly to stay safe.
The Flaw
LiteLLM, an open-source Python interface for large language models, faced a significant security breach. Two versions, v1.82.7 and v1.82.8, were found to contain malicious code that could steal user credentials. This vulnerability stemmed from a misconfiguration in the CI/CD pipeline that utilized Trivy, an open-source vulnerability scanner. The attackers exploited this flaw to inject harmful code into the project.
The attack began in late February when the attackers gained access to a privileged access token. This token was crucial for manipulating the CI/CD pipeline. By March 19, they had published a malicious release of Trivy, which further compromised the integrity of LiteLLM. Notably, version 1.82.8 included a malicious .pth file (litellm_init.pth, 34,628 bytes) that is executed automatically by the Python interpreter on startup, without requiring any explicit import of the LiteLLM module. This means that users could be compromised simply by starting their Python environment.
What's at Risk
The consequences of this breach are severe for any users of LiteLLM. Anyone who has installed the affected versions should assume that their credentials, including sensitive access tokens, may have been exposed. The Python Packaging Authority (PyPA) has issued a security advisory, urging users to revoke and rotate any credentials associated with LiteLLM.
Security experts highlight that the attackers' methods were sophisticated. By modifying existing version tags in the GitHub Action script for Trivy, they managed to inject malicious code into workflows that organizations were already using. This means that many CI/CD pipelines continued to run without any indication of the underlying changes, putting countless users at risk.
Patch Status
In response to the attack, the LiteLLM team has taken immediate action. They have removed the compromised versions from the Python Package Index (PyPI) and deleted all publishing tokens associated with the project. The CEO of Berri AI, which maintains LiteLLM, stated that they are reviewing their security measures to prevent future breaches. This includes considering trusted publishing methods and potentially moving to a different PyPI account.
Despite these efforts, the situation underscores the importance of maintaining strict security protocols within CI/CD environments. The reliance on version tags rather than pinned commits can lead to vulnerabilities that are difficult to detect.
Immediate Actions
For users of LiteLLM, immediate action is necessary. Here are some steps to take: By taking these steps, users can mitigate the risks associated with this breach. As the cybersecurity landscape evolves, it is crucial to stay vigilant and proactive in protecting sensitive information.
Containment
- 1.Revoke any exposed credentials: If you have used LiteLLM, assume your credentials are compromised.
- 2.Rotate tokens and passwords: Ensure that all access tokens and passwords associated with your LiteLLM environment are changed.
Remediation
This incident highlights the critical need for robust security measures in the software supply chain, including the implementation of Software Bill of Materials (SBOMs) and adherence to security frameworks like SLSA and SigStore.
