litellm encountered a PyPI supply chain attack, allowing the theft of all sensitive credentials such as SSH keys with a simple installation

Andrej Karpathy posted on the X platform that litellm has encountered a PyPI supply chain attack, where executing pip install litellm can steal SSH keys, AWS/GCP/Azure credentials, Kubernetes configurations, git credentials, environment variables, encrypted wallets, SSL private keys, CI/CD keys, and database passwords.

litellm has a monthly download volume of 97 million, and the risk can spread to all projects that depend on litellm, such as dspy. The version with the malicious code was online for less than about 1 hour, and it was discovered due to a flaw in the attack code that caused Callum McMahon's machine to run out of memory and crash. Andrej Karpathy stated that supply chain attacks are the most threatening issue in modern software, as each installation of dependencies can introduce tampered packages deep within the dependency tree, leading him to increasingly prefer reducing dependencies and using LLM to directly implement simple functions.