LiteLLM Got Compromised on PyPI — How to Check If Your Python Packages Are Safe

#security #python #npm #tutorial

LiteLLM versions 1.82.7 and 1.82.8 on PyPI were just confirmed compromised. If you installed either version, your environment may be affected.

This is not new. PyPI packages get compromised regularly. The question is: how do you protect yourself?

Here are the free tools and APIs you can use right now to audit your Python dependencies.

1. Check Your Installed Version

pip show litellm
# If version is 1.82.7 or 1.82.8 — take action immediately

# Downgrade to safe version
pip install litellm==1.82.6

2. Use pip-audit (Free, Offline)

pip install pip-audit
pip-audit

This scans ALL your installed packages against the OSV vulnerability database.

3. Check PyPI Package History via API

PyPI has a free JSON API — no key needed:

import requests

def check_package(name):
    resp = requests.get(f"https://pypi.org/pypi/{name}/json")
    data = resp.json()

    info = data["info"]
    print(f"Package: {info['name']} v{info['version']}")
    print(f"Author: {info.get('author', 'N/A')}")
    print(f"Maintainer: {info.get('maintainer', 'N/A')}")

    # Check all versions
    versions = list(data["releases"].keys())
    print(f"Total versions: {len(versions)}")
    print(f"Latest 5: {versions[-5:]}")

    # Check upload dates for suspicious patterns
    for ver in versions[-3:]:
        files = data["releases"][ver]
        for f in files:
            print(f"  v{ver}: uploaded {f['upload_time'][:10]} by {f.get('uploaded_via', 'unknown')}")

check_package("litellm")

4. OSV.dev API (Google's Vulnerability Database)

# Check if a specific package version has known vulnerabilities
resp = requests.post("https://api.osv.dev/v1/query", json={
    "package": {
        "name": "litellm",
        "ecosystem": "PyPI"
    },
    "version": "1.82.7"
})

vulns = resp.json().get("vulns", [])
if vulns:
    print(f"VULNERABLE! {len(vulns)} known issues:")
    for v in vulns:
        print(f"  {v['id']}: {v.get('summary', 'No summary')}")
else:
    print("No known vulnerabilities (yet)")

5. Monitor Dependencies Continuously

import subprocess
import json

# Get all installed packages
result = subprocess.run(["pip", "list", "--format=json"], capture_output=True, text=True)
packages = json.loads(result.stdout)

print(f"Checking {len(packages)} packages...")
for pkg in packages:
    resp = requests.post("https://api.osv.dev/v1/query", json={
        "package": {"name": pkg["name"], "ecosystem": "PyPI"},
        "version": pkg["version"]
    })
    vulns = resp.json().get("vulns", [])
    if vulns:
        print(f"  [!] {pkg['name']}=={pkg['version']}: {len(vulns)} vulnerabilities")

Key Takeaways

Pin your dependencies — use == in requirements.txt, not >=
Audit regularly — run pip-audit weekly or in CI
Check upload dates — a new version at odd hours is suspicious
Use lockfiles — pip-compile or poetry.lock
Monitor advisories — OSV.dev, GitHub Advisories, PyPI itself

Free Security APIs

PyPI JSON API — pypi.org/pypi/{package}/json (no key)
OSV.dev — api.osv.dev/v1/query (no key)
NVD API — services.nvd.nist.gov/rest/json/cves/2.0 (no key)
npm Audit API — registry.npmjs.org/-/npm/v1/security/advisories (no key)

Supply chain attacks are getting more common. The tools to protect yourself are free — use them.

Security tools on GitHub

DEV Community