Skip to content

fix(security): pin litellm<=1.82.6 to mitigate supply chain attack#298

Closed
drewdrewthis wants to merge 1 commit intomainfrom
fix/pin-litellm-supply-chain
Closed

fix(security): pin litellm<=1.82.6 to mitigate supply chain attack#298
drewdrewthis wants to merge 1 commit intomainfrom
fix/pin-litellm-supply-chain

Conversation

@drewdrewthis
Copy link
Copy Markdown
Collaborator

@drewdrewthis drewdrewthis commented Mar 24, 2026
edited
Loading

Summary

  • Pins litellm<=1.82.6 in python/pyproject.toml to block compromised versions 1.82.7–1.82.8
  • litellm was compromised via PyPI account takeover by TeamPCP (same group behind the Trivy compromise)
  • Malicious versions contain .pth auto-execution payload targeting crypto wallets and API keys
  • Our lockfile already pins 1.81.13 (safe), but the open >=1.49.0 range would pull malicious versions on a fresh resolve

Impact assessment

This project was NOT compromised. Our uv.lock pins litellm at 1.81.13, which predates the malicious versions (1.82.7–1.82.8). This pin is a preventive measure to ensure no future resolve can pull the affected versions.

CI status

CI failure is expected. PyPI has quarantined the entire litellm package (all versions, not just the malicious ones). Since this PR changes pyproject.toml, uv run tries to re-resolve against PyPI and fails. This is transient — once PyPI restores the safe versions, the lockfile can be regenerated and CI will pass. Note: main would also fail if any change triggered python-ci.yml right now.

To merge: regenerate uv.lock after PyPI restores litellm, then push.

Test plan

  • Regenerate uv.lock once PyPI restores litellm (run uv lock in python/)
  • Verify CI passes after lockfile update
  • Remove <=1.82.6 pin once litellm publishes a verified clean release

Ref: https://news.ycombinator.com/item?id=47501729

🤖 Generated with Claude Code

@drewdrewthis @claude
fix(security): pin litellm<=1.82.6 to mitigate supply chain attack
730a892 
litellm versions 1.82.7-1.82.8 were compromised via PyPI account
takeover (TeamPCP). Adds upper bound pin to prevent accidental
installation of malicious versions.

Ref: https://news.ycombinator.com/item?id=47501729

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 24, 2026

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

This PR tightens a third‑party dependency constraint in python/pyproject.toml by pinning litellm<=1.82.6 to avoid compromised versions 1.82.7–1.82.8. Because it changes how we resolve and integrate an external package (a supply‑chain/security‑sensitive dependency), it falls under changes to integrations with third‑party systems and does not meet the low‑risk criteria. Please route this through the normal review/security process or use the firefighting label if this is an urgent emergency fix.

This PR requires a manual review before merging.

@0xdeafcafe 0xdeafcafe closed this Apr 9, 2026
@0xdeafcafe 0xdeafcafe deleted the fix/pin-litellm-supply-chain branch April 9, 2026 17:36
sergioestebance added a commit that referenced this pull request May 1, 2026
@sergioestebance
fix(deps): resolve 5 high-severity Dependabot security alerts
2d797ee 
- #88: Update @modelcontextprotocol/sdk to >=1.25.2 (ReDoS via @openai/agents bump)
- #132: Update protobuf to 5.29.6 (JSON recursion depth bypass)
- #160: Override minimatch to >=9.0.6 (ReDoS via repeated wildcards)
- #200: Override liquidjs to >=10.25.0 (path traversal fallback)
- #298: Override lodash to >=4.18.0 (code injection via _.template)
@sergioestebance sergioestebance mentioned this pull request May 1, 2026
Merged
2 tasks
sergioestebance added a commit that referenced this pull request May 1, 2026
@sergioestebance
fix(deps): resolve 4 high-severity Dependabot security alerts
06ee8cd 
- #88: Update @modelcontextprotocol/sdk to >=1.25.2 (ReDoS via @openai/agents bump)
- #132: Update protobuf to 5.29.6 (JSON recursion depth bypass)
- #200: Override liquidjs to >=10.25.0 (path traversal fallback)
- #298: Override lodash to >=4.18.0 (code injection via _.template)
sergioestebance added a commit that referenced this pull request May 2, 2026
@sergioestebance
fix(deps): resolve 4 high-severity Dependabot security alerts
2261aff 
- #88: Update @modelcontextprotocol/sdk to >=1.25.2 (ReDoS via @openai/agents bump)
- #132: Update protobuf to 5.29.6 (JSON recursion depth bypass)
- #200: Override liquidjs to >=10.25.0 (path traversal fallback)
- #298: Override lodash to >=4.18.0 (code injection via _.template)
Aryansharma28 added a commit that referenced this pull request May 4, 2026
@sergioestebance @Aryansharma28 @claude
fix(deps): resolve 4 high-severity Dependabot security alerts (#393)
97f257d 
- #88: Update @modelcontextprotocol/sdk to >=1.25.2 (ReDoS via @openai/agents bump)
- #132: Update protobuf to 5.29.6 (JSON recursion depth bypass)
- #200: Override liquidjs to >=10.25.0 (path traversal fallback)
- #298: Override lodash to >=4.18.0 (code injection via _.template)

Co-authored-by: aryansharma28 <aryansharma2k2@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sergioestebance sergioestebance mentioned this pull request May 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@drewdrewthis @0xdeafcafe