Description:
A supply chain attack was discovered some time ago affecting LiteLLM versions distributed via PyPI. The compromised
versions contained malicious code that could exfiltrate sensitive data including API keys and environment variables.
Currently pyproject.toml defines
"litellm >= 1.75.5", # want to have gpt-5 support
as a dependency. The version requirement should be updated to a newer version.
Impact:
- At least the litellm versions 1.82.7 and 1.82.8 were impacted.
- Potential exposure of API keys, tokens, and other sensitive credentials
- Risk of unauthorized access to LLM provider accounts
References:
Description:
A supply chain attack was discovered some time ago affecting LiteLLM versions distributed via PyPI. The compromised
versions contained malicious code that could exfiltrate sensitive data including API keys and environment variables.
Currently pyproject.toml defines
"litellm >= 1.75.5", # want to have gpt-5 supportas a dependency. The version requirement should be updated to a newer version.
Impact:
References: