On March 25, 2026, Callum McMahon at futuresearch.ai published a minute-by-minute incident transcript of his team's response to the LiteLLM supply chain compromise. It's excellent — technically precise, honest about where Claude initially misdiagnosed the incident, and worth reading in full.
But buried in the timeline is something that changes how you should think about credential security for AI agents.
The fork bomb was an accident.
What the Transcript Reveals
The attack vector was litellm_init.pth, a Python .pth file embedded in the compromised package. Python's .pth mechanism executes code at interpreter startup, before any import. This is how the credential harvest began before the application ran a single line.
The harvester's job was straightforward: collect environment variables, SSH keys, AWS credentials, Kubernetes configs, crypto wallet files, shell history — encrypt everything and POST to models.litellm.cloud.
Then something went wrong. From the transcript:
The
.pthfile fires on every Python startup. The harvester spawns a child subprocess withsubprocess.Popen([sys.executable, ...]). That child process fires the.pth. That child spawns another child. 11,000 processes.
The fork bomb — the thing that alerted the engineer, that turned a silent compromise into a visible incident — was a bug in the malware. The attacker's credential harvester called subprocess.Popen([sys.executable, ...]) without realizing that sys.executable would re-trigger the .pth file on startup, creating an infinite process tree.
If that subprocess call hadn't been there — if the harvester had been written slightly more carefully — the attack would have been silent.
No spike in CPU. No memory exhaustion. No "Claude Code went haywire" alert. Just a small HTTPS POST to a domain that looks like litellm.ai, carrying an encrypted archive of everything in the environment.
The Silence Problem
What the transcript adds is this: you often won't know it happened.
The standard mental model for security incidents involves some detectable signal — anomalous traffic, elevated resource usage, a log entry. But credential exfiltration doesn't need to produce any of these. A single HTTPS POST to an HTTPS endpoint, compressed and encrypted, produces no more network traffic than a normal API call. A credential harvest that takes 200ms generates no meaningful resource signal.
The LiteLLM attack revealed itself through an accident. The 72-minute detection window wasn't impressive — it was lucky.
Consider the inverse: how many credential harvests succeeded quietly? How many environments have .env files, SSH keys, and cloud tokens sitting in processes that were at some point fed a malicious package — with no fork bomb to announce it?
The honest answer is: we don't know. That's the point.
Why the Environment Is the Wrong Place
The .pth attack surface exists because agents load credentials directly into process memory. There's a straightforward reason this happens: it's the path of least resistance. OPENAI_API_KEY=sk-... in an .env file, loaded at startup, passed as an environment variable to every subprocess.
This architecture assumes that code running in the process is trustworthy. The LiteLLM attack shows it isn't — and that the untrusted code arrives quietly, through a dependency two or three levels deep.
The fix isn't better scanning. It's a different architecture.
What Vault-First Architecture Changes
A vault-first model takes credentials out of the process entirely. Instead of process.env.ANTHROPIC_API_KEY, an agent calls:
GET /v1/vault/secrets/anthropic-key
Authorization: Bearer <agent-vault-token>
And receives the credential only at the moment it's needed, for the specific operation it's authorizing.
This changes the attacker's problem in a few concrete ways.
The harvest attack collects references, not credentials. A .pth-style attack running against a vault-first agent will collect the agent's vault token — a reference. Not the underlying API keys, SSH credentials, or cloud tokens those references unlock. The attacker now needs to make authenticated API calls to retrieve each credential, rather than dumping the environment in one operation.
Bulk exfiltration is architecturally blocked. The .pth attack succeeds because it can dump everything in one shot: enumerate environment variables, read ~/.ssh/, crawl ~/.aws/, collect ~/.config/. In a vault-first model, there is no local file to crawl. Credentials are fetched one at a time, through an API that logs each request.
Every credential access is audited. This is what the fork bomb was accidentally doing: creating a visible signal. A vault-first architecture creates that signal intentionally, for every credential access. Anomalous patterns — an agent fetching production database credentials at 3am, or making 400 vault requests in 2 seconds — appear in the audit trail before you have 11,000 processes eating your RAM.
Rotation is one operation. When you detect a compromise (or even suspect one), rotating credentials in a vault means changing one value, one time. Every agent that references that credential gets the new value on its next fetch. In an environment-variable world, rotation means hunting down every deployment that has the credential baked in.
The Attacker's Bug Was Your Warning
The futuresearch.ai team was good. They identified the malware in 27 minutes, confirmed it on an isolated Docker container in 13 more, emailed PyPI and LiteLLM maintainers within 20, and had a disclosure blog post drafted, merged, and posted in 3 minutes — all with Claude as the primary analyst.
But the reason they had 72 minutes to respond, rather than days or weeks, was an accident. The attacker's fork bomb was a bug.
The next attack will be written by someone who read the incident report.
The question isn't whether your supply chain is trustworthy. It isn't, at the scale of dependency graphs in 2026. The question is what an attacker gets if they reach your process. If the answer is "everything in the environment," you're one careful .pth file away from a silent harvest that never produces a fork bomb, never spikes your metrics, and only surfaces when someone notices the credentials being used in the wrong place at the wrong time — if they notice at all.
Vault-first architecture doesn't prevent supply chain attacks. Nothing does. But it changes what the attacker takes home.
AgentLair provides a credential vault and identity layer for AI agents.
Top comments (0)