I hope this isn’t true. I’m not claiming its true. I’m asking for help to confirm this is true or not.
This seems important so I’m providing some links. Go to each link and read the whole thing. I would like to know if this has been confirmed somewhere.
I went to the litellm page and I only see version 1.82.6 not the claimed corrupt 1.82.8. Did pypi roll back the change?
NOTE: My understanding is litellm could be installed with other packages because it’s a dependency.
Quoted post:
LiteLLM has been compromised, Do not update We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate. link below. https://x.com/hnykda/status/2036414330267193815
By the time I saw the post on Reddit about this, PyPI had already taken down the package. My thanks to the PyPI and packaging and security folks for responding to this quickly.
Every few months or so, there’s a blog post or news article about “we found malware on the Python Package Index!!!” and it’s always overblown. Yes, the fact that anyone can upload Python packages to PyPI means that anyone can upload malware. But the impact is almost always negligible or nonexistent. These articles will say stuff like “the affected package was downloaded over 600 times” without mentioning that there are many PyPI mirrors that automatically download all packages (sometimes with multiple repeat downloads). This doesn’t mean 600 people were affected. If you look at these articles, they never name an actual individual or organizations. (That would require actual journalistic investigation; they’d rather just copy a number off a PyPI stat tracker.)
Maintaining open source infrastructure is an often a thankless and unpaid task. It’s not whether malware gets uploaded to PyPI but how PyPI responds. PyPI has developed several automated measures for detecting and responding to a whole host of security issues. I think the PyPI folks (both PSF staff and volunteers) do an exceptional job, despite what people might believe from reading clickbait.
This looks like a good time for litellm to upload a “new” package that’s just the previous clean version with a new number. An upload of 1.82.9 with a comment that it’s identical to 1.82.6 would mean that the solution, for anyone who’s compromised, is simply “upgrade to the clean version”.
.