Malicious litellm_init.pth in litellm 1.82.8 — credential stealer (https://github.com/BerriAI/litellm/issues/24512)

The LiteLLM v1.82.8 package published to PyPI was compromised with a particularly nasty credential stealer hidden in base64 in a litellm_init.pth file, which means installing the package is enough to trigger it even without running import litellm.

This issue has a very detailed description of what the credential stealer does. There’s more information about the timeline of the exploit over here (https://github.com/BerriAI/litellm/issues/24518).

PyPI has already quarantined (https://pypi.org/help/#project_in_quarantine) the litellm package (https://pypi.org/project/litellm/) so the window for compromise was just a few hours, but if you DID install the package it would have hoovered up a bewildering array of secrets, including ~/.ssh/, ~/.gitconfig, ~/.git-credentials, ~/.aws/, ~/.kube/, ~/.config/, ~/.azure/, ~/.docker/, ~/.npmrc, ~/.vault-token, ~/.netrc, ~/.lftprc, ~/.msmtprc, ~/.my.cnf, ~/.pgpass, ~/.mongorc.js, ~/.bash_history, ~/.zsh_history, ~/.sh_history, ~/.mysql_history, ~/.psql_history, ~/.rediscli_history, ~/.bitcoin/, ~/.litecoin/, ~/.dogecoin/, ~/.zcash/, ~/.dashcore/, ~/.ripple/, ~/.bitmonero/, ~/.ethereum/, ~/.cardano/.

Tags: open-source (https://simonwillison.net/tags/open-source), pypi (https://simonwillison.net/tags/pypi), python (https://simonwillison.net/tags/python), supply-chain (https://simonwillison.net/tags/supply-chain)