The LiteLLM supply chain attack is a bit of a wake-up call.
Somehow it has not been very prominent in the news. I received an email from Mercor stating a recent supply chain attack involving LiteLLM affected their systems.
According to reports, malicious code was injected directly into official versions of the LiteLLM package, which were published on PyPI.
When developers installed the package in production using pip as usual, they unknowingly introduced the malicious code into their environments. The malicious package reportedly harvested cloud credentials, SSH keys, API tokens, and even tried lateral movement in Kubernetes environments.
The lesson here is simple: “pip install latest” in production is no longer safe.
At a minimum, before installing a package in production, check:
- When was this version published?
- Are you pinning versions?
- Are you using hash-locked requirements?
I’ve experimented with a small tool that adds a check before pip installs a package. Not commercial yet, just a safety layer for developers after the LiteLLM incident.
You can check it out here, please star if you like it :
https://github.com/AnantDhavale/pip-guardian/tree/main
Download it from Pypi
pip install pip-guardian
Here's the readme version for you with some details::
Feature set
1) Pre-install risk policy
Version age rules:
block if version is very new (default < 5h)
warn if version is recent (default < 48h)
Blocks yanked releases.
Blocks known-compromised versions from local blocklist.
Blocks maintainer identities from local blocklist.
2) Deep artifact scanning
Downloads wheel/sdist artifacts from PyPI before install.
Verifies artifact SHA256 against PyPI metadata.
Static scan heuristics for:
executable .pth startup hooks
sitecustomize.py / usercustomize.py
obfuscated payload patterns (e.g., long base64 + dynamic execution)
credential-exfiltration-like behavior
persistence indicators (e.g., systemd artifacts)
Kubernetes lateral-movement indicators
3) Built-in incident guard (LiteLLM March 2026)
Blocks:
litellm==1.82.7
litellm==1.82.8
Runbook:
docs/INCIDENT_LITELLM_2026.md
4) CI-friendly JSON mode
--json emits one machine-readable JSON object.
--yes allows non-interactive proceed on WARN.
Exit codes:
0 install succeeded
1 blocked, warn-not-confirmed, or pip install failure
2 usage/argument errors
5) Logging
Decision logs written as JSONL.
Primary path: ~/.pip_guardian/guardian.log
Fallback path (if home not writable): ./.pip_guardian/guardian.log
Installation
Install from PyPI:
python -m pip install pip-guardian
Upgrade:
python -m pip install --upgrade pip-guardian
Install from source (development):
git clone https://github.com/AnantDhavale/pip-guardian.git
cd pip-guardian
python -m pip install .
Usage
guardian install requests
guardian install litellm==1.82.8
guardian install fastapi --index-url https://pypi.org/simple
guardian install requests --json --yes
Policy and IOC files
policies/config.yaml:
age thresholds
deep-scan score thresholds
executable .pth blocking toggle
policies/blocklist.json:
package/version deny list
maintainer deny list
Repository structure
guardian/cli.py - command entrypoint
guardian/policy_engine.py - risk decision logic
guardian/scanner.py - deep artifact scanning
guardian/pypi_checker.py - PyPI metadata collection
guardian/logger.py - local decision logging
Notes:
This reduces risk but is not a full malware sandbox.
For production, use pinned dependencies and hash-locked installs.
Top comments (0)