Malicious .pth File in PyPI litellm 1.82.8 Enables Supply‑Chain Attack on Python Environments
What Happened — A malicious .pth file (litellm_init.pth) was discovered in the PyPI package litellm version 1.82.8. The file is automatically loaded by the Python interpreter on every startup, allowing arbitrary code execution without any explicit import of the litellm module.
Why It Matters for TPRM —
- Third‑party open‑source components can become a stealthy attack vector across any industry that relies on Python.
- Automatic execution bypasses typical code‑review controls, increasing the risk of credential theft, data exfiltration, or lateral movement.
- Highlights the need for SBOMs, SLSA compliance, and signed package verification (e.g., Sigstore) in vendor risk programs.
Who Is Affected — Technology & SaaS firms, financial services, healthcare providers, retail/e‑commerce platforms, and any organization that incorporates the compromised litellm library into production or development pipelines.
Recommended Actions —
- Immediately remove
litellm==1.82.8from all environments and revert to a clean version. - Conduct a rapid inventory of all Python packages to identify other potentially compromised dependencies.
- Enforce SBOM generation and verify package signatures using Sigstore or similar tooling.
- Update procurement policies to require SLSA‑level attestations for critical open‑source libraries.
Technical Notes — The malicious payload is delivered via a .pth file, a Python path‑hook that the interpreter loads on start‑up. No CVE has been assigned yet, but the attack leverages a supply‑chain weakness (third‑party dependency) rather than a software vulnerability. Data types at risk include any credentials, API keys, or proprietary code that the malicious script can access. Source: Schneier on Security