LiteLLM loses game of Trivy pursuit, gets compromised

Steven

LiteLLM loses game of Trivy pursuit, gets compromised

Summary

Two releases of LiteLLM (v1.82.7 and v1.82.8) were removed from PyPI after maintainers discovered credential‑stealing malware hidden in a component file named litellm_init.pth. The compromise stemmed from a polluted CI/CD pipeline: attackers abused a misconfiguration around the Trivy GitHub Action to steal a privileged token and push malicious package updates.

Aqua Security says the attackers (tracked as TeamPCP) published malicious Trivy artifacts and — crucially — modified tags used by the trivy-action, letting existing workflows run altered code because many pipelines rely on version tags rather than pinned commits. LiteLLM maintainers removed PyPI publish tokens and are reviewing account security, while PyPA has issued an advisory telling users to assume exposed credentials must be rotated.

Key Points

  • LiteLLM v1.82.7 and v1.82.8 removed from PyPI after discovery of credential‑stealing code in litellm_init.pth.
  • Attack vector: polluted CI/CD via a compromised Trivy GitHub Actions environment — attackers stole a privileged token and used it to alter workflows and publish malicious releases.
  • Malicious Trivy artefacts published (notable versions cited: v0.69.4, v0.69.5, v0.69.6) and tags of the trivy-action were modified so pipelines using tags ran altered code.
  • Maintainers deleted PyPI publishing tokens and warned that 2FA alone doesn’t protect against leaked tokens; they plan measures like trusted JWT publishing or switching accounts.
  • PyPA advisory: treat any credentials accessible to LiteLLM environments as compromised — revoke and rotate immediately.
  • Attackers also used a spam flood of apparent AI‑generated comments in the project’s GitHub issue tracker to distract and obscure useful discussion.

Author’s take

Punchy and to the point: this is a textbook supply‑chain hit. It’s not just about a dodgy package — it’s about how one compromised CI component can ripple through many projects. If you rely on third‑party actions or use tokenised publishing, assume risk and act.

Why should I read this?

Short answer: because this could be you. If your CI/CD uses Trivy or any external GitHub Action, or you publish to PyPI, you need to check tokens, pin actions to commits, and rotate creds. Don’t bury your head in the sand — a single leaked token can let attackers slip malware into packages people install every day.

Context and relevance

This incident highlights persistent supply‑chain fragility: attack groups now target CI tooling and release pipelines rather than only code repositories. The technique of altering action tags (so pipelines still run but with changed code) is especially worrying — it underlines why organisations should pin GitHub Actions to specific commits, limit token scope, and adopt more robust publishing workflows (for example JWT‑based trusted publishing).

For maintainers and dev teams, this is a timely reminder to audit CI logs, revoke exposed tokens, rotate any credentials that may have been available to affected environments, and follow PyPA guidance. For security teams, it emphasises the need to monitor third‑party actions and to treat supply‑chain security as operational, not theoretical.

Source

Source: https://www.theregister.com/2026/03/24/trivy_compromise_litellm/