Krux
April 2, 2026
LiteLLM's Supply Chain Attack Lasted 40 Minutes
Published: April 2, 2026 at 12:29 AM
Updated: April 2, 2026 at 12:29 AM
100-word summary
LiteLLM disclosed that two compromised package releases hit PyPI after attackers poisoned a security scanner in their CI/CD pipeline. The culprit? An unpinned Trivy dependency plus static credentials sitting in CircleCI environment variables. PyPI quarantined both versions within 40 minutes on March 24. The company brought in Google's Mandiant, which confirmed no malicious code reached the main codebase. Still, LiteLLM deleted 6,000 open branches and rotated every secret touching the build chain. The fix involves ephemeral credentials and Cosign-based release signing so anyone can verify a package before installing. Turns out the tools meant to catch vulnerabilities can become the vulnerability.
What happened
LiteLLM disclosed that two compromised package releases hit PyPI after attackers poisoned a security scanner in their CI/CD pipeline. The culprit? An unpinned Trivy dependency plus static credentials sitting in CircleCI environment variables. PyPI quarantined both versions within 40 minutes on March 24. The company brought in Google's Mandiant, which confirmed no malicious code reached the main codebase. Still, LiteLLM deleted 6,000 open branches and rotated every secret touching the build chain.
Why it matters
The fix involves ephemeral credentials and Cosign-based release signing so anyone can verify a package before installing. Turns out the tools meant to catch vulnerabilities can become the vulnerability.