Skip to content

Mitigate litellm supply chain compromise (1.82.7, 1.82.8)#393

Merged
TomasTomecek merged 2 commits intopackit:mainfrom
TomasTomecek:litellm-sec
Mar 25, 2026
Merged

Mitigate litellm supply chain compromise (1.82.7, 1.82.8)#393
TomasTomecek merged 2 commits intopackit:mainfrom
TomasTomecek:litellm-sec

Conversation

@TomasTomecek
Copy link
Copy Markdown
Member

@TomasTomecek TomasTomecek commented Mar 25, 2026

  • Exclude litellm==1.82.7 and litellm==1.82.8 from all Containerfiles
    and pyproject.toml — these versions contain a malicious .pth file
    that harvests credentials at Python startup and exfiltrates them via curl
  • Add a RUN build step to every Containerfile that fails the build if the
    malicious litellm_init.pth is found in site-packages, as a defence-in-depth
    safety net

litellm 1.82.7 and 1.82.8 were supply-chain-compromised packages published
to PyPI. They contain litellm_init.pth, a .pth file that executes
automatically when Python starts (no import required). The payload collects
SSH keys, cloud credentials (AWS/GCP/Azure), kubeconfigs, CI/CD secrets,
and shell history, then exfiltrates them AES+RSA encrypted to an attacker-
controlled host.

We pull in litellm transitively via beeai-framework==0.1.55, which
specifies litellm>=1.76.1,<2.0.0 — wide enough to resolve to either bad
version. PyPI has since yanked both versions (latest safe is 1.82.6), but
the explicit exclusions make the intent clear and guard against any future
re-publication or similar attack.

Ref: BerriAI/litellm#24512

@TomasTomecek
Exclude compromised litellm versions 1.82.7 and 1.82.8
52247d7 
litellm 1.82.7 and 1.82.8 were supply-chain-compromised packages
containing a malicious .pth file that executes at Python startup
and exfiltrates credentials (SSH keys, cloud creds, kubeconfigs).
litellm is a transitive dependency via beeai-framework, which allows
>=1.76.1,<2.0.0, so pip could resolve to either bad version.

See: BerriAI/litellm#24512

Signed-off-by: Tomas Tomecek <ttomecek@redhat.com>
Assisted-by: Claude
@TomasTomecek
Add build-time check for malicious litellm_init.pth in Containerfiles
c88bfbc 
The compromised litellm 1.82.7/1.82.8 packages drop a litellm_init.pth
file into site-packages that executes automatically at Python startup.
Adding a RUN step after pip install that searches /usr and /opt for
this file and fails the build if found provides a defence-in-depth
safety net in case the version exclusion is ever bypassed.

Signed-off-by: Tomas Tomecek <ttomecek@redhat.com>
Assisted-by: Claude
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates dependency configurations in pyproject.toml and several Containerfiles to exclude specific problematic versions of the litellm library (1.82.7 and 1.82.8). It also introduces a security check in the Containerfiles to detect and prevent the use of malicious litellm_init.pth files. The feedback suggests improving the robustness and clarity of the security alert message, specifically by quoting the $MALICIOUS variable to handle filenames with spaces or multiple results, and by redirecting the output to stderr.

Containerfile.c10s
Comment on lines +56 to +60
RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \
if [ -n "$MALICIOUS" ]; then \
echo "SECURITY ALERT: malicious litellm_init.pth detected: $MALICIOUS"; \
exit 1; \
fi
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The error message when a malicious file is found could be improved for clarity and robustness. The current implementation with an unquoted $MALICIOUS variable can lead to garbled output if multiple files are found or if filenames contain spaces. It is also a good practice to redirect error messages to stderr (>&2).

RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \
    if [ -n "$MALICIOUS" ]; then \
      echo "SECURITY ALERT: malicious litellm_init.pth detected:" >&2; \
      echo "$MALICIOUS" >&2; \
      exit 1; \
    fi

Copy link
Copy Markdown
Member Author

@TomasTomecek TomasTomecek Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Gemini but you are just picking nits here, I'm not applying that to all occurences, sorry

Containerfile.c9s
Comment on lines +57 to +61
RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \
if [ -n "$MALICIOUS" ]; then \
echo "SECURITY ALERT: malicious litellm_init.pth detected: $MALICIOUS"; \
exit 1; \
fi
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The error message when a malicious file is found could be improved for clarity and robustness. The current implementation with an unquoted $MALICIOUS variable can lead to garbled output if multiple files are found or if filenames contain spaces. It is also a good practice to redirect error messages to stderr (>&2).

RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \
    if [ -n "$MALICIOUS" ]; then \
      echo "SECURITY ALERT: malicious litellm_init.pth detected:" >&2; \
      echo "$MALICIOUS" >&2; \
      exit 1; \
    fi

Containerfile.c9s-tests
Comment on lines +42 to +46
RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \
if [ -n "$MALICIOUS" ]; then \
echo "SECURITY ALERT: malicious litellm_init.pth detected: $MALICIOUS"; \
exit 1; \
fi
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The error message when a malicious file is found could be improved for clarity and robustness. The current implementation with an unquoted $MALICIOUS variable can lead to garbled output if multiple files are found or if filenames contain spaces. It is also a good practice to redirect error messages to stderr (>&2).

RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \
    if [ -n "$MALICIOUS" ]; then \
      echo "SECURITY ALERT: malicious litellm_init.pth detected:" >&2; \
      echo "$MALICIOUS" >&2; \
      exit 1; \
    fi

Containerfile.supervisor
Comment on lines +40 to +44
RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \
if [ -n "$MALICIOUS" ]; then \
echo "SECURITY ALERT: malicious litellm_init.pth detected: $MALICIOUS"; \
exit 1; \
fi
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The error message when a malicious file is found could be improved for clarity and robustness. The current implementation with an unquoted $MALICIOUS variable can lead to garbled output if multiple files are found or if filenames contain spaces. It is also a good practice to redirect error messages to stderr (>&2).

RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \
    if [ -n "$MALICIOUS" ]; then \
      echo "SECURITY ALERT: malicious litellm_init.pth detected:" >&2; \
      echo "$MALICIOUS" >&2; \
      exit 1; \
    fi

Containerfile.tests
Comment on lines +38 to +42
RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \
if [ -n "$MALICIOUS" ]; then \
echo "SECURITY ALERT: malicious litellm_init.pth detected: $MALICIOUS"; \
exit 1; \
fi
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The error message when a malicious file is found could be improved for clarity and robustness. The current implementation with an unquoted $MALICIOUS variable can lead to garbled output if multiple files are found or if filenames contain spaces. It is also a good practice to redirect error messages to stderr (>&2).

RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \
    if [ -n "$MALICIOUS" ]; then \
      echo "SECURITY ALERT: malicious litellm_init.pth detected:" >&2; \
      echo "$MALICIOUS" >&2; \
      exit 1; \
    fi

nforro
nforro approved these changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@nforro nforro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need a base image 🙂

lbarcziova
lbarcziova approved these changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@lbarcziova lbarcziova left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

@TomasTomecek TomasTomecek merged commit 151e9a7 into packit:main Mar 25, 2026
7 checks passed
@TomasTomecek TomasTomecek deleted the litellm-sec branch March 25, 2026 13:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nforro nforro nforro approved these changes

@lbarcziova lbarcziova lbarcziova approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TomasTomecek @nforro @lbarcziova