Supply Chain Attack Targets Python Library LiteLLM
A recent analysis by Kaspersky highlights a supply chain attack that impacted the Python library LiteLLM, inflicting risks on numerous infrastructure components. The attackers exploited vulnerabilities within this widely used library, injecting malicious code that has significant implications for developers and their systems.
The attack occurred in March 2026, where malicious versions of LiteLLM were uploaded to the PyPI repository. Infected versions (1.82.7 and 1.82.8) implemented different methods for executing malicious scripts. Notably, the malware’s behavior was geared toward extracting sensitive data from various systems—specifically targeting AWS metadata, Kubernetes configurations, and database credentials. The technical analysis outlined a complex multi-stage attack that allowed attackers to bypass security mechanisms and establish persistent backdoors within Kubernetes clusters.
One of the more concerning elements is the malware’s integration with cloud infrastructure via the AWS Instance Metadata Service. This suggests that even systems with robust security measures could be at risk if they utilize vulnerable libraries. Infected scripts sought out not just files on the disk but also targeted dynamic secrets provided by cloud services, showcasing the sophistication of this threat.
Defensive Context
Organizations relying on widely-used open-source libraries such as LiteLLM must be acutely aware of the risks associated with supply chain attacks. This is particularly relevant for businesses that integrate these libraries within their critical infrastructure, as attackers can exploit any vulnerable components to gain access to sensitive data and configurations.
Why This Matters
The threat posed by this attack affects developers and companies using LiteLLM and similar libraries, especially within sectors heavily dependent on cloud services and containerization technologies like Kubernetes. Organizations handling confidential data must prioritize understanding how this threat could impact their infrastructure.
Defender Considerations
Defensive measures are crucial for mitigating risks associated with malicious library injections. Entities should monitor their dependencies for compromised versions in online repositories. While the analyzed library versions have been removed, organizations must still assess any prior usage of these versions and consider rotating relevant credentials, such as API keys and database passwords. Furthermore, detection strategies should include checking filesystem changes for unauthorized scripts or services, particularly in Kubernetes environments.
Indicators of Compromise (IOCs)
Malicious URLs:
- models.litellm.cloud
- checkmarx.zone
Infected Packages:
- MD5 hashes for compromised versions include:
- 85ED77A21B88CAE721F369FA6B7BBBA3
- 2E3A4412A7A487B32C5715167C755D08
- 0FCCC8E3A03896F45726203074AE225D
- MD5 hashes for compromised versions include:
Malicious Scripts:
- Hashes for scripts associated with the attack:
- F5560871F6002982A6A2CC0B3EE739F7
- CDE4951BEE7E28AC8A29D33D34A41AE5
- 05BACBE163EF0393C2416CBD05E45E74
- Hashes for scripts associated with the attack:
