litellm 1.82.8 Supply Chain Compromise via Malicious .pth File

A high-impact Supply Chain Attack has been identified targeting the popular Python package litellm. According to Bruce Schneier, researchers at Truesec discovered that version 1.82.8 of the library was published with a malicious payload. This incident highlights a sophisticated persistence and execution technique that bypasses traditional application-level security checks.

litellm 1.82.8 PyPI package vulnerability analysis

The compromise involves the injection of a malicious .pth file, specifically named litellm_init.pth, into the Python wheel file distributed via the Python Package Index (PyPI). This file, weighing approximately 34,628 bytes, leverages a documented but often overlooked feature of the Python interpreter. When a Python interpreter initializes, it scans the site-packages directory for files with the .pth extension. If these files contain lines beginning with import, the interpreter executes those lines immediately.

This mechanism results in RCE at the moment the interpreter starts, regardless of whether the litellm library is actually imported by the running application. Because the execution is handled by the interpreter’s site-initialization logic, the malicious code can achieve persistence within a virtual environment or system-wide Python installation. This TTP is especially dangerous for automated environments, such as CI/CD pipelines or SOC automation scripts, where Python scripts may run frequently and with elevated privileges.

Impact and Operational Risks

The litellm library is widely utilized to provide a unified interface for various Large Language Model (LLM) providers. Its adoption in AI-driven applications means this compromise could potentially affect a broad range of infrastructure. Because the execution does not require an explicit import litellm statement, standard static analysis tools that search for suspicious imports in project codebases will fail to detect the threat.

The presence of the malicious file allows for arbitrary code execution, which could be used for data exfiltration, credential harvesting, or establishing a C2 channel. In enterprise environments, this could facilitate Lateral Movement if the compromised Python environment has access to internal network resources or cloud service metadata services.

How to detect litellm 1.82.8 malicious pth file

Defenders should prioritize the identification of the specific version and the presence of the unauthorized file. Detection can be performed by inspecting the Python site-packages directory.

• File Path Identification: Locate the site-packages directory using python -m site. Inspect this directory for the file litellm_init.pth.
• File Size Verification: The malicious litellm_init.pth file is reported to be exactly 34,628 bytes. Any file matching this name and size should be treated as a high-confidence IoC.
• Version Auditing: Run pip show litellm to determine the installed version. If version 1.82.8 is present, assume the environment is compromised.

Python supply chain compromise mitigation steps

Immediate remediation requires the removal of the compromised package and a thorough audit of the environment.

1. Isolation and Removal: Uninstall the compromised version using pip uninstall litellm. Manually verify that the litellm_init.pth file has been deleted from the filesystem.
2. Environment Rotation: Because the malicious code could have executed arbitrary commands, compromised environments (including virtual machines, containers, and developer workstations) should be considered untrusted. Rotate any secrets, API keys, or credentials that were accessible within the environment.
3. Strategic Defenses: As noted in the source material, long-term defense against these threats requires adopting Software Bill of Materials (SBOMs) and verification frameworks like SigStore and SLSA. Integrating these into the Supply Chain Attack prevention strategy ensures that packages are signed and verified before deployment.

Finally, organizations should configure their SIEM to monitor for unusual outbound network connections originating from Python processes, which may indicate the activation of a malicious payload from a compromised library.