Criminals compromise popular AI library: half a million credentials stolen
A widely used AI library has been compromised in a suspected supply chain attack, with up to half a million credentials reportedly stolen. The malicious code was hidden in a PyPI package used by millions of developers.
It is reported that LiteLLM, which has around 97 million monthly downloads, suffered a Python Package Index (PyPI) supply-chain attack, and that version 1.82.8 is suspected to contain malware that may steal sensitive data after installation.
Cybersecurity team SlowMist lists SSH keys, cloud credentials, Kubernetes configurations, Git credentials, API keys, shell history, database passwords, crypto wallets, etc., among the potentially targeted data.
The team recommended removing or replacing the affected version, rotating relevant credentials, and reviewing logs, access records, and sensitive data usage.
Meanwhile, International Cyber Digest claims it is in contact with the actor behind the LiteLLM hack, which is reportedly TeamPCP, and that the LiteLLM compromise "led to half a million stolen credentials."
https://x.com/IntCyberDigest/status/2036526495254876418
Callum McMahon, research scientist at AI solutions firm Futureresearch, who was the first to discover and report this attack, said that after he "got taken out by malware on my local machine," it "started stuttering hard, something that really shouldn't be happening on a 48GB Mac."
He was then forced to hard reset his computer and, on restart, asked Claude to investigate the issue. However, McMahon said he "wasn't buying" Claude's initial explanations and, with the help of Claude Code, found the "offending cause, the rogue package buried within my UV cache."
The researcher also said he found a "sloppy, likely vibe-coded mistake" in the actual malware implementation, without which "it would have gone unnoticed for much longer."
Popular AI expert Andrej Karpathy estimates that the poisoned version of LiteLLM was up for less than 1 hour.
In either case, despite the coding error, according to malware researchers at vx-underground, the payload was a success and only failed in specific, currently unknown edge cases.
"Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any dependency, you could be pulling in a poisoned package anywhere deep inside its entire dependency tree," Karpathy concluded, stressing that the credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages.