Supply-Chain Malware Hits LiteLLM; Delve Audits Scrutinized
Summary
- • Malware found in LiteLLM proxy, downloaded 3.4M times daily
- • Attack entered via dependency, stealing credentials in cascading chain
- • LiteLLM's compliance certs from Delve questioned amid separate fraud allegations
- • Mandiant engaged for forensics; incident reportedly contained within hours
Details
LiteLLM is a high-value target as a widely-used AI proxy routing requests to hundreds of LLM APIs
LiteLLM provides developers easy access to hundreds of AI models with spend management features, making it a critical node in many AI development pipelines and a valuable supply-chain attack target.
Malware entered through a dependency and executed a cascading credential-theft attack
The attack did not originate in LiteLLM's core code but in a software dependency. It stole login credentials from affected systems and used them to propagate to additional packages and accounts.
A bug in the malware caused it to crash machines, enabling faster discovery and containment
Callum McMahon (FutureSearch) discovered the malware when it caused his machine to shut down. The LiteLLM team contained the incident likely within hours and engaged Mandiant for forensic review.
LiteLLM's SOC2 and ISO 27001 certs were issued by Delve, a startup facing separate fraud allegations
Delve, a YC-backed AI compliance startup, has been accused of generating fake compliance data and using rubber-stamp auditors — allegations Delve denies. CEO Krrish Dholakia declined to comment on the Delve connection.
SOC2 certification does not guarantee protection against dependency-based supply-chain attacks
While SOC2 is intended to cover policies around software dependencies, industry observers note such certifications do not by themselves prevent malware from entering through a dependency chain — raising questions about audit depth.
Industry reaction highlighted the irony of a compromised tool being certified 'Secured by Delve'
Engineer Gergely Orosz reacted on X: 'Oh damn, I thought this WAS a joke. … but no, LiteLLM *really* was Secured by Delve.' The convergence of a real supply-chain attack and unresolved questions about the certifying body intensified scrutiny on both stories.
Supply-chain malware attack on LiteLLM and its intersection with the Delve compliance controversy
What This Means
For AI practitioners and builders relying on LiteLLM in production pipelines, this supply-chain attack is a concrete reminder that dependency security is a critical and often under-audited attack surface — credential theft through a dependency can affect downstream systems regardless of a tool's own code quality. The incident also prompts developers to scrutinize what compliance certifications from AI-native vendors actually cover, particularly around third-party dependencies, especially given the unresolved allegations against Delve. Until Mandiant's forensic review concludes, the full scope of the compromise remains unknown.
Sentiment
Mostly concerned about supply-chain vulnerabilities and questionable audit certifications, with some praise for incident response
“LiteLLM *really* was "Secured by Delve" (the company that rubber stamped all of these audits, and seems to have been on the edge of fraudlent auditing, but useless for sure) And so unspririsingly LiteLLM was compromised, badly”
“The payload was a SUCCESS. The payload failed in specific edge cases... The Threat Actor(s) managed to exfiltrate data from 500,000 infected machines (approx. 300gb of data)... LiteLLM is SOC2 certified by Delve.”
“One common take I've seen on the LiteLLM breach is this: pin your dependencies to a specific version. Yes, this would fix this specific issue but the vast majority of security risks are found and patched over time. You're likely more vulnerable if you don't upgrade vs if you do.”
“Fascinating seeing security companies are so much worse at responding to incidents than non-security companies. Both aqua and checkmarx didn’t do a good job. LiteLLM handled it much better. Curious!!”
“The LiteLLM hack is the hack that keeps giving. It's good to know that standard security practices would have prevented it all, it's disappointing to see firms working in the security space failing basic precautions. If you're not using trusted publishing by now, you're a liability.”
Split
Compliance skeptics vs. pinning/upgrade advocates (~70/30 critical/constructive)