Skip to content

fix: pin liteLLM upper bound to 1.82.6 to mitigate supply chain attack#2772

Merged
seratch merged 1 commit intoopenai:mainfrom
gn00295120:fix/pin-litellm-safe-version
Mar 25, 2026
Merged

fix: pin liteLLM upper bound to 1.82.6 to mitigate supply chain attack#2772
seratch merged 1 commit intoopenai:mainfrom
gn00295120:fix/pin-litellm-safe-version

Conversation

@gn00295120
Copy link
Contributor

@gn00295120 gn00295120 commented Mar 25, 2026

Summary

liteLLM versions 1.82.7 and 1.82.8 have been compromised by the TeamPCP hacking group via a supply chain attack through Trivy. The current dependency constraint >=1.81.0, <2 allows these malicious versions to be pulled in.

Impact

The compromised versions steal sensitive credentials and secrets, including:

  • SSH keys (~/.ssh/)
  • AWS credentials (~/.aws/)
  • GCP credentials (~/.config/gcloud/)
  • Kubernetes secrets (~/.kube/)
  • Cryptocurrency wallets
  • CI/CD tokens (GitHub, GitLab, Jenkins, etc.)
  • Environment variables containing secrets

Version 1.82.8 additionally installs a .pth persistence mechanism in site-packages, ensuring the malicious payload survives package upgrades and executes automatically on every Python interpreter startup — even after liteLLM itself is uninstalled.

Fix

This PR pins the upper bound of the liteLLM optional dependency from <2 to <=1.82.6, which is the last known safe version before the compromise.

- litellm = ["litellm>=1.81.0, <2"]
+ litellm = ["litellm>=1.81.0, <=1.82.6"]

Once BerriAI publishes a verified clean release, this upper bound can be raised again.

References

@gn00295120 @claude
fix: pin liteLLM upper bound to <=1.82.6 to mitigate supply chain attack
ff74843 
liteLLM versions 1.82.7 and 1.82.8 were compromised via a supply chain
attack. This pins the upper bound to 1.82.6, the last known safe version.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 25, 2026 08:58
Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the litellm optional dependency to prevent installation of known-compromised liteLLM releases (1.82.7/1.82.8) as a supply-chain mitigation.

Changes:

  • Tighten litellm optional dependency constraint from <2 to <=1.82.6 to avoid compromised versions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions github-actions bot added bug Something isn't working dependencies project labels Mar 25, 2026
@seratch seratch removed the bug Something isn't working label Mar 25, 2026
@seratch
Copy link
Member

seratch commented Mar 25, 2026
edited
Loading

This is only effective when a user installs the optional dependency via openai-agents[litellm], so having a safe version lock on the user side instead is generally recommended. That said, there is no reason to avoid this change.

@seratch seratch added this to the 0.13.x milestone Mar 25, 2026
@seratch seratch merged commit abd5cef into openai:main Mar 25, 2026
12 of 13 checks passed
@gn00295120 gn00295120 deleted the fix/pin-litellm-safe-version branch March 25, 2026 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@seratch seratch seratch approved these changes

Assignees

No one assigned

Labels

dependencies project

Projects

None yet

Milestone

0.13.x

Development

Successfully merging this pull request may close these issues.

3 participants

@gn00295120 @seratch