Security News

Cybersecurity news aggregator

📦
HIGH Vulnerabilities Schneier on Security

Python Supply-Chain Compromise

pythonsupply-chainmalicious-codemitre-ta0043mitre-t1195
A malicious supply chain attack has been identified in the Python Package Index (PyPI) package `litellm` version 1.82.8, where the published wheel contains a malicious `.pth` file that is automatically executed by the Python interpreter on every startup without requiring an explicit import. The article does not provide a CVSS score, specific affected version ranges beyond the single compromised version, a fixed version, or a workaround. It emphasizes the need for broader supply chain security measures like SBOMs, SLSA, and SigStore.
Read Full Article →

This is news : A malicious supply chain compromise has been identified in the Python Package Index package litellm version 1.82.8. The published wheel contains a malicious .pth file (litellm_init.pth, 34,628 bytes) which is automatically executed by the Python interpreter on every startup, without requiring any explicit import of the litellm module. There are a lot of really boring things we need to do to help secure all of these critical libraries: SBOMs, SLSA, SigStore. But we have to do them.

Related Articles

HIGH North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack Mandiant HIGH Fraud Investigation Reveals Sophisticated Python Malware Infosecurity Magazine HIGH Laravel-Lang Packages Poisoned for Malware Delivery SecurityWeek CRITICAL PyTorch Lightning Compromised in PyPI Supply Chain Attack to Steal Credentials The Hacker News
Read Full Article → ← Back to News

Share this article

Twitter Facebook LinkedIn