A first-person incident response account of discovering and handling the LiteLLM 1.82.8 PyPI supply chain attack on March 24, 2026. The author shares a minute-by-minute Claude Code transcript covering the investigation from initial mysterious process explosions (11k processes spawned) through forensic analysis of orphaned Python processes, malware identification, and public disclosure. The investigation reveals orphaned python -c processes running base64-encoded payloads, a deadlocked uv run chain, and ultimately traces the process storm to a likely runaway spawning loop rather than a traditional persistence-based malware infection.
Sort: