A critical supply chain attack was discovered in litellm versions 1.82.7 and 1.82.8 on PyPI. Two different injection techniques were used: a malicious `.pth` file in 1.82.8 that executes on every Python startup, and a base64-encoded payload embedded in `proxy_server.py` in 1.82.7. Both versions carry an identical three-stage payload: (1) a mass credential harvester targeting SSH keys, AWS/GCP/Azure credentials, Kubernetes secrets, environment files, crypto wallets, and shell history; (2) a persistent C2 backdoor disguised as 'System Telemetry Service' that polls `checkmarx.zone` every ~50 minutes for arbitrary remote code execution; and (3) Kubernetes lateral movement that deploys privileged pods to every cluster node to install the backdoor on host OS. All stolen data is encrypted with AES-256-CBC and RSA-4096 before exfiltration to `models.litellm.cloud`. Downstream projects including Microsoft GraphRAG, Google ADK, DSPy, OpenHands, and others were affected. Immediate remediation requires rotating all credentials, removing the persistence backdoor, checking for K8s lateral movement, and auditing network logs for connections to the attacker-controlled domains.
Table of contents
Background: What Is litellm?The Entry Points: Two Versions, Two Injection TechniquesStage 1: Mass Credential HarvesterStage 2: Persistent C2 BackdoorStage 3: Kubernetes Lateral MovementControlled Execution AnalysisDownstream ImpactThe Comment Spam CampaignAttack Flow SummaryRemediationHow StepSecurity HelpsReferencesSort: