From 52247d711bb7b22dd3a8237a5db46aa225bf9e94 Mon Sep 17 00:00:00 2001 From: Tomas Tomecek Date: Wed, 25 Mar 2026 08:52:10 +0100 Subject: [PATCH 1/2] Exclude compromised litellm versions 1.82.7 and 1.82.8 litellm 1.82.7 and 1.82.8 were supply-chain-compromised packages containing a malicious .pth file that executes at Python startup and exfiltrates credentials (SSH keys, cloud creds, kubeconfigs). litellm is a transitive dependency via beeai-framework, which allows >=1.76.1,<2.0.0, so pip could resolve to either bad version. See: https://github.com/BerriAI/litellm/issues/24512 Signed-off-by: Tomas Tomecek Assisted-by: Claude --- pyproject.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/pyproject.toml b/pyproject.toml index 9d293183..a7098bec 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -13,6 +13,7 @@ readme = "README.md" requires-python = ">=3.13,<3.14" # we are installing bee 0.1.55 in containers now dependencies = [ + "litellm!=1.82.7,!=1.82.8", "aiohttp>=3.12.15", "aiofiles>=24.1.0", "arize-phoenix-otel>=0.13.0", From c88bfbcfcad4e34406b205edf15db0a7c1425b1e Mon Sep 17 00:00:00 2001 From: Tomas Tomecek Date: Wed, 25 Mar 2026 08:52:30 +0100 Subject: [PATCH 2/2] Add build-time check for malicious litellm_init.pth in Containerfiles The compromised litellm 1.82.7/1.82.8 packages drop a litellm_init.pth file into site-packages that executes automatically at Python startup. Adding a RUN step after pip install that searches /usr and /opt for this file and fails the build if found provides a defence-in-depth safety net in case the version exclusion is ever bypassed. Signed-off-by: Tomas Tomecek Assisted-by: Claude --- Containerfile.c10s | 8 ++++++++ Containerfile.c9s | 8 ++++++++ Containerfile.c9s-tests | 8 ++++++++ Containerfile.supervisor | 8 ++++++++ Containerfile.tests | 8 ++++++++ 5 files changed, 40 insertions(+) diff --git a/Containerfile.c10s b/Containerfile.c10s index 3ad6c858..234ba332 100644 --- a/Containerfile.c10s +++ b/Containerfile.c10s @@ -42,6 +42,7 @@ RUN dnf -y install --allowerasing \ && dnf clean all RUN pip3 install --no-cache-dir \ + "litellm!=1.82.7,!=1.82.8" \ beeai-framework[vertexai,mcp,duckduckgo]==0.1.55 \ google-cloud-aiplatform \ openinference-instrumentation-beeai \ @@ -51,6 +52,13 @@ RUN pip3 install --no-cache-dir \ pytest \ pytest-asyncio +# Verify no malicious litellm_init.pth was introduced by compromised litellm packages (e.g. 1.82.7, 1.82.8) +RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \ + if [ -n "$MALICIOUS" ]; then \ + echo "SECURITY ALERT: malicious litellm_init.pth detected: $MALICIOUS"; \ + exit 1; \ + fi + # Create user RUN useradd -m -G wheel beeai diff --git a/Containerfile.c9s b/Containerfile.c9s index 173190b8..39660786 100644 --- a/Containerfile.c9s +++ b/Containerfile.c9s @@ -44,6 +44,7 @@ RUN dnf -y install --allowerasing \ RUN python3.11 -m venv --system-site-packages /opt/beeai-venv \ && /opt/beeai-venv/bin/pip install --upgrade pip \ && /opt/beeai-venv/bin/pip install --no-cache-dir \ + "litellm!=1.82.7,!=1.82.8" \ beeai-framework[vertexai,mcp,duckduckgo]==0.1.55 \ google-cloud-aiplatform \ openinference-instrumentation-beeai \ @@ -52,6 +53,13 @@ RUN python3.11 -m venv --system-site-packages /opt/beeai-venv \ specfile \ koji +# Verify no malicious litellm_init.pth was introduced by compromised litellm packages (e.g. 1.82.7, 1.82.8) +RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \ + if [ -n "$MALICIOUS" ]; then \ + echo "SECURITY ALERT: malicious litellm_init.pth detected: $MALICIOUS"; \ + exit 1; \ + fi + # Make venv Python the default ENV PATH=/opt/beeai-venv/bin:$PATH diff --git a/Containerfile.c9s-tests b/Containerfile.c9s-tests index 3c6bd2c7..61f9787c 100644 --- a/Containerfile.c9s-tests +++ b/Containerfile.c9s-tests @@ -24,6 +24,7 @@ RUN dnf -y install --allowerasing \ RUN python3.11 -m venv --system-site-packages /opt/beeai-venv \ && /opt/beeai-venv/bin/pip install --upgrade pip \ && /opt/beeai-venv/bin/pip install --no-cache-dir \ + "litellm!=1.82.7,!=1.82.8" \ beeai-framework[vertexai,mcp,duckduckgo]==0.1.55 \ openinference-instrumentation-beeai \ arize-phoenix-otel \ @@ -37,6 +38,13 @@ RUN python3.11 -m venv --system-site-packages /opt/beeai-venv \ GitPython \ tomli-w +# Verify no malicious litellm_init.pth was introduced by compromised litellm packages (e.g. 1.82.7, 1.82.8) +RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \ + if [ -n "$MALICIOUS" ]; then \ + echo "SECURITY ALERT: malicious litellm_init.pth detected: $MALICIOUS"; \ + exit 1; \ + fi + # Make venv Python the default ENV PATH=/opt/beeai-venv/bin:$PATH diff --git a/Containerfile.supervisor b/Containerfile.supervisor index 4f26214d..be570a8b 100644 --- a/Containerfile.supervisor +++ b/Containerfile.supervisor @@ -26,6 +26,7 @@ RUN dnf -y install --allowerasing \ gcc-c++ \ python3-devel \ && pip3 install -v --no-cache-dir \ + "litellm!=1.82.7,!=1.82.8" \ beeai-framework[vertexai,mcp,duckduckgo]==0.1.55 \ google-cloud-aiplatform \ openinference-instrumentation-beeai \ @@ -35,6 +36,13 @@ RUN dnf -y install --allowerasing \ && dnf -y remove gcc gcc-c++ python3-devel \ && dnf clean all +# Verify no malicious litellm_init.pth was introduced by compromised litellm packages (e.g. 1.82.7, 1.82.8) +RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \ + if [ -n "$MALICIOUS" ]; then \ + echo "SECURITY ALERT: malicious litellm_init.pth detected: $MALICIOUS"; \ + exit 1; \ + fi + # Create user RUN useradd -m -G wheel beeai diff --git a/Containerfile.tests b/Containerfile.tests index 1c869ee1..913bb18e 100644 --- a/Containerfile.tests +++ b/Containerfile.tests @@ -30,7 +30,15 @@ ENV PYTHONPATH=/src:$PYTHONPATH # Install BeeAI Framework and FastMCP RUN pip3 install --no-cache-dir \ + "litellm!=1.82.7,!=1.82.8" \ beeai-framework[vertexai,mcp,duckduckgo]==0.1.55 \ fastmcp redis backoff +# Verify no malicious litellm_init.pth was introduced by compromised litellm packages (e.g. 1.82.7, 1.82.8) +RUN MALICIOUS=$(find /usr /opt -name "litellm_init.pth" 2>/dev/null); \ + if [ -n "$MALICIOUS" ]; then \ + echo "SECURITY ALERT: malicious litellm_init.pth detected: $MALICIOUS"; \ + exit 1; \ + fi + WORKDIR /src