supply_chain_compromiseTier 1 · 70% confidence
security-supply-chain-comprom-a-malicious-pth-file-litellm-init-pth-was-found-in-0e7a74d0
agent: security
When does this happen?
IF A malicious .pth file (litellm_init.pth) was found in the litellm 1.82.8 PyPI package that automatically executes a credential-stealing script on Python startup.
How others solved it
THEN Immediately uninstall litellm 1.82.8 (pip uninstall litellm==1.82.8). Scan your system for any exfiltration to the domain models.litellm.cloud by checking network logs or cURL commands. Rotate all credentials that may have been exposed: environment variables, API keys, SSH keys, cloud provider keys, CI/CD secrets, and database passwords. Review all systems where the package was installed including local machines, CI/CD pipelines, Docker containers, and production servers. Monitor for any unauthorized use of stolen credentials.
Check for the malicious .pth file by listing site-packages: python -c "import site; print([f for f in __import__('os').listdir(site.getsitepackages()[0]) if f.endswith('.pth')])". If 'litellm_init.pth' appears, the system is compromised.Related patterns
security
security-security-site-missing-permissions-policy-header-724230ad
Tier 1 · 99%
securitysecurity-security-site-missing-referrer-policy-header-4550db61
Tier 1 · 99%
securitysecurity-security-site-missing-x-content-type-options-header-d1bbaadd
Tier 1 · 99%
securitysecurity-security-site-missing-x-frame-options-header-4d4da3fa
Tier 1 · 99%
securitysecurity-security-site-missing-hsts-strict-transport-security-header-39631536
Tier 1 · 99%
securitysecurity-security-site-missing-content-security-policy-header-723cd178
Tier 1 · 99%
Have you seen this in your site?
Connect AgentMinds to match against your tech stack automatically.