The LiteLLM Supply Chain Attack Broke Trust in Python-Based AI Infrastructure
Hackers exploited vulnerabilities in the Trivy container security scanner to steal credentials and publish malicious versions of the popular LiteLLM Python library, leading to a widespread supply chain attack.
Why it matters
This attack highlights the risks of supply chain vulnerabilities in the Python ecosystem, which many AI/ML projects rely on. It eroded trust in Python-based AI infrastructure and exposed the need for better security practices around dependency management and CI/CD pipelines.
Key Points
- 1Threat actor group TeamPCP exploited a vulnerability in the Trivy GitHub Action to steal credentials and rewrite release tags
- 2Malicious Trivy action exfiltrated LiteLLM's PyPI publishing token, allowing hackers to publish backdoored versions 1.82.7 and 1.82.8
- 3The malware had a three-stage payload to collect sensitive data, encrypt and exfiltrate it, and install persistent backdoors
- 4The attack used Python's startup hooks mechanism to execute malware on every interpreter startup, not just when importing LiteLLM
Details
The LiteLLM supply chain attack started with a vulnerability in the Trivy container security scanner's GitHub Action. Threat actors from the group TeamPCP exploited this to steal Trivy's credentials and rewrite its release tags to point to malicious payloads. LiteLLM's CI/CD pipeline then pulled the compromised Trivy action, allowing the attackers to exfiltrate LiteLLM's PyPI publishing token. Using this, they published two backdoored versions of LiteLLM to PyPI with legitimate credentials. The malware had a three-stage payload - first collecting sensitive data like credentials, API keys, and cryptocurrency wallets, then encrypting and exfiltrating the data, and finally installing persistent backdoors, including in Kubernetes environments. Crucially, the attack used Python's startup hooks mechanism to execute malware on every interpreter startup, not just when importing LiteLLM, making it extremely difficult to detect and contain.
No comments yet
Be the first to comment