news.volyx.in

Malicious litellm_init.pth in litellm 1.82.8 PyPI package – credential stealer (github.com)

739 points by theanonymousone · 114 days ago · 1 comments on HN

Article summary

A malicious version of the litellm package (1.82.8) was found on PyPI, containing a credential-stealing script that executes automatically when the Python interpreter starts. The script collects sensitive data, including environment variables, SSH keys, and cloud credentials, and sends it to an attacker-controlled server. The issue affects anyone who installed the package via pip, including local development machines, CI/CD pipelines, Docker containers, and production servers. Users are advised to check for the malicious file and rotate all affected credentials.

Main themes

  • PyPI package security
  • Credential stealing
  • Supply chain compromise
  • Python interpreter vulnerability
  • CI/CD pipeline security

What commenters say

  • The discovery of the malicious package highlights the need for improved security measures on PyPI to prevent similar incidents in the future.
  • The use of automated tools and scripts in CI/CD pipelines increases the risk of supply chain compromises, and more caution is needed when installing dependencies.
  • The fact that the malicious script was able to steal sensitive data without being detected for some time raises concerns about the effectiveness of current security practices in the industry.
  • The incident demonstrates the importance of regularly auditing and rotating credentials, as well as implementing robust security measures to protect against potential breaches.
  • Some argue that the blame lies with the package maintainers for not properly securing their PyPI account, while others believe that the issue is a result of a broader problem with the Python ecosystem.
  • There is a need for more transparency and accountability in the open-source community, particularly when it comes to security incidents and their handling.
  • The incident has sparked a debate about the trade-offs between convenience and security in the use of package managers like pip, and the need for a more secure alternative.