DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5MG7-485Q-XM76: GHSA-5mg7-485q-xm76: Supply Chain Compromise and Credential Harvesting Malware in LiteLLM

#security #cve #cybersecurity #ghsa

GHSA-5mg7-485q-xm76: Supply Chain Compromise and Credential Harvesting Malware in LiteLLM

Vulnerability ID: GHSA-5MG7-485Q-XM76
CVSS Score: 10.0
Published: 2026-03-25

Threat actors compromised the CI/CD pipeline of the LiteLLM package by poisoning a dependency, allowing them to steal PyPI publisher credentials. These credentials were used to publish two malicious versions of LiteLLM that deploy a persistent credential harvester and Kubernetes worm via Python's .pth file mechanism.

TL;DR

Malicious actors published LiteLLM versions 1.82.7 and 1.82.8 to PyPI after stealing publisher credentials via a compromised GitHub Action. The malware automatically executes on Python startup to steal cloud, developer, and AI credentials, while attempting lateral movement within Kubernetes clusters.

⚠️ Exploit Status: ACTIVE

Technical Details

  • Attack Vector: Supply Chain / CI/CD Poisoning
  • Execution Mechanism: Python .pth File Initialization
  • CWE ID: CWE-506 (Embedded Malicious Code)
  • Impact: Credential Theft and Lateral Movement
  • Exploit Status: Active Exploitation (March 2026)
  • Malicious Domain: models.litellm.cloud

Affected Systems

  • Python Virtual Environments
  • CI/CD Build Runners
  • Kubernetes Clusters running AI workloads
  • Developer Workstations
  • litellm: 1.82.7 - 1.82.8 (Fixed in: Removed from PyPI)

Mitigation Strategies

  • Network Isolation
  • Package Downgrade/Pinning
  • Comprehensive Secret Rotation
  • Kubernetes RBAC Auditing

Remediation Steps:

  1. Disconnect infected machines or containers from the network to prevent further exfiltration and lateral movement.
  2. Identify compromised environments using pip show litellm.
  3. Uninstall the malicious package and install a known safe version (e.g., 1.82.6).
  4. Immediately revoke and rotate ALL secrets present on the system, including AWS/Cloud Access Keys, GitHub PATs, SSH Private Keys, AI API Keys, and Slack/Discord Webhooks.
  5. Audit Kubernetes audit logs for unauthorized API access utilizing service account tokens originating from the compromised pods.

References

Read the full report for GHSA-5MG7-485Q-XM76 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)