LiteLLM just had a serious supply chain incident.
According to the public GitHub reports, malicious PyPI versions of LiteLLM were published, including 1.82.8, with code that could run automatically on Python startup and steal secrets like environment variables, SSH keys, and cloud credentials. The reported payload sent that data to an attacker-controlled domain. A follow-up issue says the PyPI package was compromised through the maintainer's PyPI account, and that the bad releases were not shipped through the official GitHub CI/CD flow.
This is bigger than one package. It is a reminder that the AI infra layer is now part of your security boundary.
Fortunately, there is a good alternative. GoModel: a faster, simpler alternative to LiteLLM, written in Go. Simpler, smaller and better performance for teams that want a reliable LLM gateway.
Repo link: https://github.com/ENTERPILOT/GOModel/
Top comments (0)