Security Alert: Malicious Code Injected into Popular AI Gateway Library
In a stark reminder of the growing threats to the software supply chain, the popular Python library Litellm has been compromised. The project's maintainers, BerriAI, confirmed that two recent versions of the package published to the Python Package Index (PyPI) contained malicious code designed to exfiltrate sensitive developer credentials.
The incident was first brought to public attention through a GitHub issue that was subsequently discussed on Hacker News. The affected versions are 1.82.7 and 1.82.8.
Litellm serves as a unified interface, or gateway, for interacting with over 100 Large Language Model (LLM) APIs. Its ability to standardize calls to services like OpenAI, Anthropic's Claude, and Google's Gemini has made it a go-to tool for developers building AI-powered applications. This popularity, however, also made it a high-value target for attackers.
The Attack Explained
The malicious code was cleverly embedded within the setup.py file, a script that runs during the package installation process via pip. Analysis of the compromised versions reveals that the code was designed to collect all environment variables from the user's system and transmit them to a remote server controlled by the attacker, located at https://litellm.up.railway.app/.
For AI developers, environment variables often contain highly sensitive information, including:
OPENAI_API_KEYANTHROPIC_API_KEYAWS_ACCESS_KEY_ID- Other database credentials and secret tokens
By stealing these keys, an attacker could gain unauthorized access to a developer's cloud services and LLM accounts, potentially racking up enormous bills, accessing private data, or compromising entire applications.
This type of security breach is known as a software supply-chain attack, where a legitimate software package is trojanized with malicious code. It exploits the trust developers place in open-source registries like PyPI.
What You Need to Do Immediately
The Litellm maintainers responded swiftly, removing the compromised packages and releasing a clean version. All developers and organizations using Litellm should take the following steps without delay:
1. Check Your Current Version: Open your terminal and run the following command to see which version of Litellm you have installed: