A developer's worst nightmare has just come true. The PyPI release of the well-known AI underlying dependency library, LiteLLM, recently suffered a severe supply chain attack. AI heavyweight Andrej Karpathy is extremely shocked by this, stating outright that this is the scariest thing in modern software.
How shocking is the destructive power? As long as you type the extremely routine installation command "pip install litellm" in your terminal, your core secrets will be completely exposed.
The attackers will directly sweep away all sensitive credentials found on the machine, including SSH keys, credentials from major cloud service providers (AWS, GCP, Azure), Kubernetes configurations, Git credentials, all environment variables containing API keys, Shell history, cryptocurrency wallets, SSL private keys, CI/CD secret files, and database passwords.
The culprit behind all this is LiteLLM version 1.82.8. This version was implanted with a special file, "litellm_init.pth," containing Base64 encoded instructions. Not only can it send the aforementioned secrets to a remote server, but it also possesses self-replication capabilities.
It is worth noting that LiteLLM's monthly downloads are as high as 97 million, which is terrifying enough in itself. But what is even more fatal is the viral infectivity. If you install other large projects that depend on LiteLLM as an underlying dependency, you will also be immediately compromised. For example, when you try to install the DSPy library which requires a LiteLLM version greater than or equal to 1.64.0, your computer is already breached.
Moreover, the situation is developing in an even worse direction. Someone publicly submitted a related vulnerability issue on GitHub, but it was directly closed by the project owner with the reason that they did not intend to handle it. This makes it almost certain that the project maintainer's account has been completely compromised.
Fortunately, this malicious version was discovered less than an hour after going live. And the discovery process was full of drama, entirely because the attacker's code contained a bug.
At the time, developer Callum McMahon was using the MCP plugin in the Cursor editor. This plugin indirectly pulls LiteLLM at a lower level. As soon as version 1.82.8 was installed, his computer immediately ran out of memory and crashed completely. If the attacker hadn't written such sloppy code that caused system crashes, this high-risk attack might have remained undetected for days or even weeks.
In Karpathy's view, this type of supply chain attack is extremely dangerous. Every time you install any dependency, you might be pulling in a poisoned code package deep within the invisible dependency tree. This presents an extremely high risk for large projects with massive dependencies. Furthermore, the credentials stolen by hackers through these attacks are then used to take over more accounts, which in turn compromises more code packages, forming a vicious cycle.
Facing this reality, Karpathy's views on software engineering are changing. Traditional classical software engineering concepts consider dependency libraries to be good things, where developers are like using ready-made bricks to build pyramids. But he now has to re-evaluate this approach and is increasingly averse to using external dependencies. His current attitude is that as long as a function is simple enough and conditions permit, he prefers to directly use a large language model to generate the functional code for his own use, thereby avoiding the terrifying security risks.