This Is Not an Anomaly
The LiteLLM incident is part of an accelerating pattern:
- 454,000+ new malicious packages in open-source registries in 2025
- Malicious packages grew 188% YoY in Q2 2025
- 1 in 5 PyPI releases had CVSS 7.0+ vulnerabilities in 2025
- AI supply chain attacks grew 210% YoY in H1 2026
The Dependency Surface Area Problem
| Package | Installed Size | Dependencies |
|---|---|---|
| LiteLLM | ~16.5 MB | 200+ |
| NeuralBridge SDK | 110 KB | 0 |
That is 150x the attack surface. Your AI reliability solution might be your biggest security liability.
The Compliance Angle
SOC 2 CC9.2, ISO 27001 A.15, and MLPS all require third-party dependency management. Your AI reliability tooling should reduce compliance surface area, not expand it.
What You Can Do Today
- Run
pip-auditto scan your dependencies - Pin versions with hashes in requirements.txt
- Check for
litellm_init.pthpersistence artifacts - Prefer zero-dependency packages
- Integrate pip-audit in CI/CD
The Hard Truth
The TeamPCP campaign proved supply chain attacks against AI infrastructure are operational, sophisticated, and cascading. Your pip install is a trust decision. Treat it like one.
NeuralBridge SDK is a 110KB, zero-dependency AI API self-healing library. pip install neuralbridge-sdk
Top comments (0)