Security Week 2614: Supply Chain Attack on LiteLLM Library

In version 1.82.7, the malicious code was embedded in the proxy_server.py file. In version 1.82.8, a .pth file was additionally added, which caused the malicious code to execute every time the interpreter was run, even if the infected library was not used. After execution, the infected script began recursively scanning the working directories on the victim's system. In each directory, the script reviewed the contents of the files, which it outputted to the stdout buffer and saved to a file for later transmission to the attacker’s command server. Then, the script collected system information and saved it to a file. After that, it began searching for confidential data, including the following types:

• SSH keys

• GIT accounts

• env files

• AWS, Kubernetes, email service, database, and WireGuard VPN configurations

• Files related to Helm, Terraform, CI

• TLS keys and certificates

A detailed list of the collected data is available here. In addition to the information saved on the system, the malicious code also tried to extract secrets from cloud infrastructure, such as from AWS servers. Besides the data listed above, the script searches for wallet configurations and access data for Slack and Discord messaging services. Finally, the malware has tools for persistence in the Kubernetes cluster infrastructure.

In addition to this "standard" functionality, the malicious code periodically contacts the command server and may receive an additional executable file from it, which will be launched on the system. During the analysis of the malicious program, researchers discovered malicious versions of two popular Checkmarx software extensions, which are used for application security assessment. These extensions contained similar (though slightly reduced in functionality) malicious code in the NodeJS version.

Malicious versions of LiteLLM have already been removed from the PyPI and OpenVSX repositories. For those who have already downloaded the malicious version, Kaspersky Lab experts recommend the following set of actions: rotation of all potentially affected credentials and secrets, checking hosts and clusters for traces of the malicious script, clearing the cache and inventorying PyPI modules, as well as a general check for indicators of compromise.

The attack on LiteLLM is attributed to the TeamPCP group, which has also hacked other projects in recent days, including Telnyx and Trivy.

What Else Happened

In early March, Google researchers reported the discovery of the Coruna exploit kit, targeting Apple devices running iOS 13-17.2.1. This framework uses a number of already fixed vulnerabilities, including CVE-2023-32434 and CVE-2023-38606. Another publication by Kaspersky Lab experts analyzes elements of the Coruna framework. According to specialists, the exploit for the above-mentioned two vulnerabilities is actually an updated version of an exploit previously used in the Operation Triangulation attack in 2023.

At Malwarebytes, an infostealer was discovered that steals data from Apple computers using the ClickFix technique — when the user is tricked into executing the malicious code on their system.