My minute-by-minute response to the LiteLLM malware attack
TL;DR Highlight
A real-time incident response record in which an ML engineer, with the help of Claude Code, discovered and disclosed a supply chain attack hidden in litellm version 1.82.8 on PyPI within 72 minutes. It demonstrates that even non-security developers can detect and report malware using AI tools.
Who Should Read
Backend/ML engineers who use Python packages as dependencies, or developers interested in open-source supply chain security. An essential reference especially for teams using AI development tool stacks such as litellm, uvx, and Cursor.
Core Mechanics
- On March 24, 2026 at 10:52 UTC, litellm v1.82.8 was uploaded to PyPI with no corresponding GitHub tag. It appeared to be an official release but was actually a malicious package; the last legitimate version was v1.82.6.
- The attack chain was: Cursor → futuresearch-mcp-legacy (v0.6.0) → litellm (v1.82.8) → litellm_init.pth. This meant users could be infected through the dependency chain even without directly installing litellm.
- The core of the malware was the litellm_init.pth file (34KB). A .pth file is a special file that automatically executes every time Python starts, without any import statement. This file was also registered in RECORD (the official package manifest) with its sha256 hash, confirming it was included in the official wheel.
- The malware had three objectives: credential theft, lateral movement within a Kubernetes cluster, and data exfiltration. It attempted to establish persistence by creating ~/.config/sysmon/sysmon.py, but was interrupted by a forced reboot when an 11,000-process fork bomb occurred.
- The discoverer, Callum McMahon, is an ML engineer, not a security expert. Through conversations with Claude Code, he performed journalctl log analysis, confirmed the package re-download in a Docker-isolated environment, contacted the PyPI security team (security@pypi.org), and published a public blog post. Only 72 minutes elapsed from the first symptom to public disclosure.
- Claude Code took only 3 minutes to write the public blog post, create a PR, and merge it. Claude Code directly authored the disclosure post, demonstrating that AI can support not just analysis but also the communication phase.
- The malicious package was live on PyPI for approximately 46 minutes (around 10:52–12:04 before and after public disclosure). Had automated dependency updates run during that window, infection was possible — and in fact, FutureSearch's MCP server pulled that version during that period and was compromised.
Evidence
- "Discoverer Callum left a comment identifying himself as an ML engineer. He noted that 'Claude guided me step by step through contacting the PyPI security team and the time-critical sequence of actions — it was a game changer for a non-security professional.' He also asked the community whether more vulnerability reports from non-experts would be a net benefit or a burden to the security community, to which a realistic counterpoint emerged: 'The problem isn't non-expert reporting itself, but reporting in ways that make triage harder.' A highly upvoted comment highlighted the danger of .pth files: 'Most developers think pip install just puts files on disk and runs them at import time, but .pth files execute every time Python starts, with no import needed. Unlike npm's postinstall hook which runs only once, .pth files run every single time — making them far more persistent.' Concerns were also raised about Claude potentially executing malware by accident. In the transcript, the discoverer explicitly tells Claude 'please don't accidentally run this when downloading in the Docker container,' and a commenter warned: 'LLM agents have no sense of accountability — if they accidentally execute a script, it's a disaster. Sandboxing untrusted code is doable in one or two commands, but you have to be careful about delegating too much to a text prediction machine.' A '24-hour dependency update delay policy' was mentioned across multiple comments as a practical countermeasure against supply chain attacks. Commenters shared concrete experience: 'Many teams use auto-merge Dependabot PRs with no delay, which exposes them even within a 46-minute malicious package window. A simple policy of no package updates within 24 hours of release would have fully prevented this attack — uv already supports this.' There were also proposals for package registries like PyPI to provide real-time event feeds (firehoses): 'Scanners capable of instant detection already exist, but there's no channel to receive updates in real time. If GitHub, npm, and PyPI exposed real-time streams for security analysis, attacks like this could be caught much faster.' It was also noted that enterprise-scale teams need to build all packages from source or use internal mirrors, while for smaller teams, dependency pinning/locking plus a waiting period is the realistic defensive baseline."
How to Apply
- "For projects using uv, apply a 24-hour cooldown to dependency updates. This is an already-supported uv feature that prevents deployment pipelines from automatically pulling new releases immediately after publication, completely eliminating exposure windows like the 46-minute attack window in this case. If you have AI agents connected to production environments (MCP servers, Cursor plugins, etc.), audit the list of packages those agents depend on and pin their versions. Tools like uvx that dynamically pull dependencies at runtime are a particular attack surface, so consider maintaining an internal allowlist and a manual approval gate. When a system becomes unusually slow or shows a sudden spike in processes, you can use Claude Code or similar AI coding tools to jointly analyze journalctl logs, htop output, and package manifests (RECORD files). Even without security expertise, explicitly asking the AI to 'consider the possibility of malicious behavior' can accelerate early incident response significantly. Establish an isolation verification procedure for suspected malicious packages. Re-download the suspect package inside a Docker container, check the file list and whether any .pth files are present, and read the contents without executing anything. As in this case, emailing the PyPI security team (security@pypi.org) with evidence (file hashes, infection path) can result in a quarantine action."
Code Example
snippet
# How to inspect a .pth file without executing it (Docker isolated environment)
docker run --rm --network none python:3.11 bash -c "
pip install litellm==1.82.8 --dry-run 2>&1 | head -20
pip download litellm==1.82.8 -d /tmp/pkg --no-deps
cd /tmp/pkg && unzip -l litellm-*.whl | grep .pth
"
# Read the .pth file contents (without executing it)
docker run --rm --network none python:3.11 bash -c "
pip install litellm==1.82.8
cat $(python -c 'import site; print(site.getsitepackages()[0])')/litellm_init.pth
"
# Configure 24-hour dependency update delay in uv (uv.toml)
# [pip]
# upgrade-package-delay = '24h'
# List all .pth files in installed packages
python -c "
import site, os
for sp in site.getsitepackages():
for f in os.listdir(sp):
if f.endswith('.pth'):
print(os.path.join(sp, f))
"Terminology
.pth 파일A special configuration file that automatically executes every time Python starts. Because it runs without any import statement, malicious code installed via a package can execute on every startup — making it far more dangerous than an ordinary file.
공급망 공격(Supply Chain Attack)Instead of attacking a target directly, this method compromises a package or library that developers trust, infecting everyone who uses it. Analogous to targeting all restaurant patrons by contaminating the food supplier.
포크 폭탄(Fork Bomb)An attack where a process continuously clones itself, exhausting system resources. In this case, 11,000 processes were spawned, crashing the system — and paradoxically, this became the clue that led to the malware's discovery.
횡적 이동(Lateral Movement)A technique where an attacker, rather than staying on the initial compromised system, moves to other systems within the network to expand damage. In a Kubernetes environment, this refers to accessing other services or nodes from a single compromised Pod.
MCP (Model Context Protocol)A protocol that allows AI models to access external tools and data. It is the standard communication method used by AI tools like Claude and Cursor when interacting with file systems, APIs, and more.
wheel (.whl)The distribution format for Python packages. It is a compressed archive that pip can install directly without compiling source code, and it may contain executables or files such as .pth files.
Related Papers
Show HN: adamsreview – better multi-agent PR reviews for Claude Code
Claude Code에서 최대 7개의 병렬 서브 에이전트가 각각 다른 관점으로 PR을 리뷰하고, 자동 수정까지 해주는 오픈소스 플러그인이다. 기존 /review나 CodeRabbit보다 실제 버그를 더 많이 잡는다고 주장하지만 커뮤니티에서는 복잡도와 실효성에 대한 회의론도 나왔다.
How Fast Does Claude, Acting as a User Space IP Stack, Respond to Pings?
Claude Code에게 IP 패킷을 직접 파싱하고 ICMP echo reply를 구성하도록 시켜서 실제로 ping에 응답하게 만든 실험으로, 'Markdown이 곧 코드이고 LLM이 프로세서'라는 아이디어를 네트워크 스택 수준까지 밀어붙인 재미있는 사례다.
Show HN: Git for AI Agents
AI 코딩 에이전트(Claude Code 등)가 수행한 모든 툴 호출을 자동으로 추적하고, 어떤 프롬프트가 어느 코드 줄을 작성했는지 blame까지 가능한 버전 관리 도구다.
Principles for agent-native CLIs
AI 에이전트가 CLI 도구를 더 잘 사용할 수 있도록 설계하는 원칙들을 정리한 글로, 에이전트가 CLI를 도구로 활용하는 빈도가 높아지면서 이 설계 방식이 실용적으로 중요해지고 있다.
Agent-harness-kit scaffolding for multi-agent workflows (MCP, provider-agnostic)
여러 AI 에이전트가 서로 역할을 나눠 협업할 수 있도록 조율하는 scaffolding 도구로, Vite처럼 설정 없이 빠르게 멀티 에이전트 파이프라인을 구성할 수 있다.
Show HN: Tilde.run – Agent sandbox with a transactional, versioned filesystem
AI 에이전트가 실제 프로덕션 데이터를 건드려도 롤백할 수 있는 격리된 샌드박스 환경을 제공하는 도구로, GitHub/S3/Google Drive를 하나의 버전 관리 파일시스템으로 묶어준다.