Skip to content
Tech News
← Back to articles

My minute-by-minute response to the LiteLLM malware attack

2026-03-26 | original
read original get LiteLLM Malware Response Kit → more articles
Why This Matters

This incident highlights how AI-powered tools are transforming cybersecurity by enabling faster detection and response to supply chain attacks. The rapid identification and public disclosure of the litellm malware demonstrate the potential for developers, even those without specialized security training, to contribute significantly to industry-wide security efforts. As malware creation accelerates, so does the importance of accessible, AI-driven detection methods for protecting consumers and the tech ecosystem at large.

Key Takeaways

I'm the engineer who got PyPI to quarantine litellm. Here's the full recording of how I found it.

Developers not trained in security research can now sound the alarm at a much faster rate than previously. AI tooling has sped up not just the creation of malware but also the detection.

This is the Claude Code conversation transcript from discovering and responding to the litellm 1.82.8 supply chain attack on March 24, 2026. The session began as a routine investigation into a frozen laptop and escalated into a full malware analysis and public disclosure, all within a single conversation. See our disclosure post for the full writeup.

Timeline

ATTACK INVESTIGATION CONFIRMATION RESPONSE 10:52 Poisoned litellm v1.82.8 uploaded to PyPI No corresponding GitHub tag — only v1.82.6 existed 10:58 futuresearch-mcp-legacy pulls compromised version as dependency Cursor ran uvx futuresearch-mcp-legacy, which depends on litellm 11:07 Malware attempts persistence installation ~/.config/sysmon/sysmon.py created (0 bytes — write interrupted) 11:09 Force reboot after 11k-process fork bomb Reboot interrupted persistence — malware partially neutralized 11:13 Investigation begins with Claude Code Initially suspected runaway Claude Code loop, not malware 11:40 Malware identified in litellm package litellm_init.pth found — credential theft, K8s lateral movement, exfil 11:58 Confirmed live on PyPI via isolated Docker download Fresh download contains litellm_init.pth (34 KB) — actively infecting 12:02 Disclosure blog post written and published Claude Code wrote the post, created PR, merged — 3 minutes end to end 12:04 Shared with r/Python, r/netsec, r/LocalLLaMA 72 minutes from first symptom to public disclosure

You no longer need to know the specifics of MacOS shutdown logs, how to parse cache systems of various package managers, remember the specific docker commands to pull a fresh container with the malware downloaded, or even know whose email address to contact. You just need to be calmly walked through the human aspects of the process, and leave the AI to handle the rest.

Should frontier labs be training their models to be more aware of these attacks? In this case it took some healthy skepticism to get Claude to look for malice, given how unlikely being patient zero for an undocumented attack is.

Shout out to claude-code-transcripts for help displaying this.

All times are UTC. Redactions marked as [...] protect internal infrastructure details.

Transcript

Explore topics: litellm pypi malware pypi kubernetes
Related:
These warning signs could mean spyware is on your phone - and 9 ways to keep it secure
Inside a Modern Fraud Attack: From Bot Signups to Account Takeovers
Suspected RedLine infostealer malware admin extradited to US
Delve did the security compliance on LiteLLM, an AI project hit by malware
Silicon Valley’s two biggest dramas have intersected: LiteLLM and Delve

© 2026 GoKawiil

About | Editorial Policy | Contact