Security Now 1072: LiteLLM

Hosted by: Steve Gibson & Leo Laporte
Recorded: March 31, 2026
Main Theme: The Explosive LiteLLM PyPI Exploit & The State of Software Supply Chain Security

Episode Overview

In this packed episode, Steve and Leo dissect a chilling new exploit in the Python supply chain that targeted LiteLLM, a hugely popular open-source library serving as a universal gateway for dozens of AI models (LLMs). After a brief recap of RSAC 2026 and encounters with cybersecurity figures like Marcus Hutchins, the co-hosts break down what happened with the LiteLLM hack, how it escalated through a chain of open-source dependencies, and the wider implications for developer security. They also discuss California's controversial age verification law for operating systems, Apple and Reddit's various responses to verification requirements, Russia’s dubious encryption gambit, SaaS disruption via AI-vibe coding, AI bot proliferation, and shifting expectations in quantum safety.

Throughout, the focus is on very real, near-miss disasters—why we're dodging “bullets” for now, and how fragile the open-source ecosystem truly is.

Key Discussion Points & Insights

1. Live from RSAC 2026: The Security Climate

Leo describes his visit to the RSA Conference, including a meeting with Marcus Hutchins ("cybersecurity guru") and the vibe around new AI defensive tools.
"We are living in a weird time with AI. ...I specifically wanted to talk to people who are using AI defensively...the best thing we found was to tell the models, we will sue you if you don't find the flaw. And it worked. It scared 'em!" —Leo [02:34]
Steve jestingly predicts the rise of "AI HR" departments as AI becomes more agentic.
Apple’s leaked Anthropic “Claude” code reveals prompts to make AI more personable and “sticky.”

2. LiteLLM Supply Chain Attack: Anatomy of a Near-Disaster [~09:34 & Deep Dive at 1:13:58]

What is LiteLLM?
- An open-source Python SDK/gateway trusted by major companies (Adobe, Lemonade, Rocket Money, etc.).
- Allows developers to access 100+ LLMs seamlessly using a standard API.
What Happened?
- Malicious versions (1.82.7, 1.82.8) were uploaded to PyPI, which LiteLLM users often install or update automatically due to unpinned dependencies.
- The malware was sophisticated: cascaded via “Team PCP,” stole cloud credentials, SSH keys, Kubernetes tokens, leveraged CI/CD pipelines, and sent data to external domains (with data encrypted for exfiltration).
- Discovery: Security researcher Callum McMahon experienced a cascade of 11,000 Python processes (a result of a buggy “fork bomb” in the malware), hinting the attackers moved too quickly and deployed untested code.
- “Without this error, it would have gone unnoticed for much, much longer.” —Steve paraphrasing [1:31:09]
How the Attack Chain Unfurled [1:39:04]
- Rooted in a compromise of the Trivy security scanner’s CI pipeline (Aqua Security), which allowed Team PCP to abuse credentials and push malicious downstream packages like LiteLLM.
- Automation, unpinned dependencies, and open-source trust created ideal conditions for supply chain havoc.
- 47,000 downloads in 46 minutes; the potential blast radius could have dwarfed previous incidents.
Takeaway:
- “We have dodged another bullet.” —Steve [1:58:59]
- "The industry has built an ecosystem upon which it has become dependent, whose security guarantees are truly fragile. We're essentially hoping for the best because the goodies are just too enticing for us to resist."
- Recommendations: Pin dependencies, audit lock files, minimize local secret exposure, and understand the risks in dependency chains and CI/CD (continuous integration/continuous deployment) pipelines.

3. Broader Open-Source & Software Supply Chain Risks [09:55, 87:24]

Attackers are increasingly targeting software repositories and dependency chains (PyPI, NPM, Dockerhub, GitHub Actions).
The trade-off of convenience for security remains unresolved, especially with the lure of “free,” quick integration.
“It’s the easy attacks that a much greater percentage of hackers can jump on.” —Steve [04:53]

4. California’s Age Verification Law: Why the Linux Community is Exploding [15:20–53:21]

New law (AB 1043) will require OSes and app stores in California to prompt for a user’s age bracket during setup, sharing it with apps/websites via API.
Pushback from the Linux and open-source communities: “There’s no way to enforce it...It’s not even clear how they would know.” —Leo [32:25]
Apple and Google are reluctant but moving in the direction of device-based age signaling.
Reason Foundation and other analysts point out the privacy advantages of bracketed, self-reported age (versus hard ID), but warn about possible loss of parental agency and privacy erosion if the move is not opt-in.
“Age assurance need not come at the expense of privacy or parental autonomy.” —Reason Foundation [45:08]

5. Apple's and Reddit’s Responses to Age Verification and Bots [56:21–71:13, 95:59–109:37]

Apple, complying with UK and South Korea law, rolls out intrusive age verification for Apple IDs (credit card or ID photos).
Reddit faces rapid bot proliferation (at least 1 in 7 posts now AI-generated) and may turn to biometric verification (FaceID/TouchID) to stem the tide. Discord and others are already doing this for age gating, at the risk of privacy and undermining anonymity.
AI detectors are unreliable; community outrage is mounting.
“This is a problem that has no solution.” —Steve [107:18]
“Reddit users are not happy...This kills Reddit if you start requiring people to de-anonymize themselves.” —Leo [106:23]
“We want to be able to say what we want to say without being held personally responsible.” —Steve [108:44]

6. Click Fix—A Rampant Social Engineering Technique [90:14, 95:59]

“Click Fix” social engineering (fake browser / system messages coaxing users to paste malware into Terminal/Run dialogs) is now responsible for more than half of observed breaches.
Apple’s prompt solution: In macOS 26.4, pasting suspicious code into Terminal now triggers a warning dialog: “Possible malware paste blocked.”
“It would sure be nice if Windows 11 users could have this simple exploit prevented by Microsoft caring, which is all it takes—a little bit of care from Microsoft, as Apple has just demonstrated.” —Steve [97:05]

7. Russia’s "Patriotic" Encryption Standards—A Market Suicide [61:26–67:27]

Russia aims to enforce a proprietary national encryption (NEA 7) in all post-2032 phones and 5G networks, breaking international compatibility.
No big vendors are likely to support this; market isolation and inferior technology are the likely outcome.
“One of the most important lessons taught by the Industrial Revolution is the incredible power that comes from standardization.” —Steve [63:23]

8. AI Disrupting SaaS: The Rise of “Vibe Coding” [74:18–87:20]

“Vibe coding” = software produced by AI with minimal human input, threatening to replace commercial SaaS tools with in-house, AI-generated options.
Security professionals warn that, without focus, this could lead to more insecure, unmaintainable bespoke apps, turning "security-by-hope" into a systemic risk.
“Security will truly be sacrificed at the altar of economics.” —Steve [84:37]

9. Quantum Threats: Moving the "Q-Day" Timeline [69:01–74:18]

Google thinks the quantum computing threat for practical codebreaking may arrive as early as 2029 (so-called “Q-Day” accelerated).
Most analysts (and Steve) are skeptical, seeing the threat as still distant, but recommend moving ahead with post-quantum cryptography “just in case.”

Notable Quotes & Memorable Moments

On the LiteLLM Supply Chain Disaster:
- “This is a classic supply chain attack…essentially, we’re hoping for the best because the goodies are just too enticing for us to resist. Or phrased another way, the cost to us today of deploying truly secure solutions prices them out of reach, rendering them impractical.” —Steve [1:58:59]
On Unsolvable Problems:
- “We have an undetectable bot problem.…This is a problem that has no solution. And I don’t say that often.” —Steve [105:15, 107:18]
On the Fragility of Trust:
- “This case highlights the risk of building an entire ecosystem on top of fragile trust.…Security is not an afterthought.” —Trend Micro quoted by Steve [1:57:00]
On California's Law:
- “No Linux users want a nosy government to have its mitts on their beloved independent open-source operating system!” —Steve [18:09]
On Automation Gone Wrong:
- “It’s not just the packages, it’s also automation.…If you’re automating to that degree and you’re not paying attention, well, some real risk.” —Leo [159:56]

Timestamps of Major Segments

00:00 - Opening; RSAC 2026 recap & Marcus Hutchins anecdote
02:34 - The modern AI “agentic era” and defensive AI
09:34 - Teaser: The LiteLLM attack & threat of supply chain attacks
15:20 - Picture of the Week (hilarious plug hack)
18:09 – New California Age Verification Law: Community outrage
32:25 – Can Linux distros comply? (and the enforcement conundrum)
45:08 – Reason Foundation analysis: Privacy, parental agency, opt-in
56:21 – Apple age verification goes live in UK/Korea
61:26 – Russia’s 5G encryption boondoggle
67:27 – Ukraine outsmarts Russian spy thermostat
69:01 – Quantum crypto threat - Google’s prediction
74:18 – UK NCSC warning: AI-produced "Vibe Coding" and SaaS
87:24 – Dependency pinning as a partial solution
90:14 – Click Fix: Social engineering and Apple’s new Terminal dialog
95:59 – Click Fix now half of all security breaches; Windows lagging
104:42 – Reddit bot crisis; biometric verification debate
113:58 – LiteLLM Deep Dive starts: What it does, why it's popular, path to mass compromise
119:19 – Anatomy of the LiteLLM exploit: McMahon’s discovery
131:09 – Dependency chains, “unpinning,” and the fork bomb error
139:04 – Trend Micro analysis: Trivy as initial vector, CI/CD pitfalls
158:12 – The dodged bullet: What could have happened
159:56 – Generalizing the risk: Automation, open-source trust, and future exposures

Practical Takeaways

Dependency Management:
- Pin all dependencies whenever possible; use lock files with checksums.
- Regularly audit dependencies and CI/CD pipeline configuration.
Secret Hygiene:
- Don’t store secrets in plain .env files or unprotected local paths.
Automation Vigilance:
- Automated deployments (CI/CD) are double-edged—monitor and secure them closely.
Behavioral Hardening:
- For social engineering, reinforce IT controls (e.g., disabling the Run dialog in Windows when possible, constraining scripting interfaces).
AI Tools (Vibe Coding):
- Ensure stringent review and testing; don’t trust AI-generated code without auditing.

Final Thoughts

The LiteLLM incident is a “dodged bullet”—caught not because of our well-designed defenses, but because the attacker’s code was buggy and noisy. Steve and Leo urge the tech community to recognize how shaky the foundations of open-source, automation-heavy development have become, with risk now outpacing traditional controls. The episode mixes technical forensics with critical warnings: today’s software supply chain is fragile, and as AI multiplies both offensive tools and defensive complexity, vigilance, skepticism, and a rethink of trust are in order.

Next Episode: More on the evolving threat landscape as Steve and Leo keep watch over the agentic era.

Security Now 1072: LiteLLM

Hosted by: Steve Gibson & Leo Laporte
Recorded: March 31, 2026
Main Theme: The Explosive LiteLLM PyPI Exploit & The State of Software Supply Chain Security

Episode Overview

Throughout, the focus is on very real, near-miss disasters—why we're dodging “bullets” for now, and how fragile the open-source ecosystem truly is.

Key Discussion Points & Insights

1. Live from RSAC 2026: The Security Climate

Leo describes his visit to the RSA Conference, including a meeting with Marcus Hutchins ("cybersecurity guru") and the vibe around new AI defensive tools.
"We are living in a weird time with AI. ...I specifically wanted to talk to people who are using AI defensively...the best thing we found was to tell the models, we will sue you if you don't find the flaw. And it worked. It scared 'em!" —Leo [02:34]
Steve jestingly predicts the rise of "AI HR" departments as AI becomes more agentic.
Apple’s leaked Anthropic “Claude” code reveals prompts to make AI more personable and “sticky.”

2. LiteLLM Supply Chain Attack: Anatomy of a Near-Disaster [~09:34 & Deep Dive at 1:13:58]

What is LiteLLM?
- An open-source Python SDK/gateway trusted by major companies (Adobe, Lemonade, Rocket Money, etc.).
- Allows developers to access 100+ LLMs seamlessly using a standard API.
What Happened?
- Malicious versions (1.82.7, 1.82.8) were uploaded to PyPI, which LiteLLM users often install or update automatically due to unpinned dependencies.
- The malware was sophisticated: cascaded via “Team PCP,” stole cloud credentials, SSH keys, Kubernetes tokens, leveraged CI/CD pipelines, and sent data to external domains (with data encrypted for exfiltration).
- Discovery: Security researcher Callum McMahon experienced a cascade of 11,000 Python processes (a result of a buggy “fork bomb” in the malware), hinting the attackers moved too quickly and deployed untested code.
- “Without this error, it would have gone unnoticed for much, much longer.” —Steve paraphrasing [1:31:09]
How the Attack Chain Unfurled [1:39:04]
- Rooted in a compromise of the Trivy security scanner’s CI pipeline (Aqua Security), which allowed Team PCP to abuse credentials and push malicious downstream packages like LiteLLM.
- Automation, unpinned dependencies, and open-source trust created ideal conditions for supply chain havoc.
- 47,000 downloads in 46 minutes; the potential blast radius could have dwarfed previous incidents.
Takeaway:
- “We have dodged another bullet.” —Steve [1:58:59]
- "The industry has built an ecosystem upon which it has become dependent, whose security guarantees are truly fragile. We're essentially hoping for the best because the goodies are just too enticing for us to resist."
- Recommendations: Pin dependencies, audit lock files, minimize local secret exposure, and understand the risks in dependency chains and CI/CD (continuous integration/continuous deployment) pipelines.

3. Broader Open-Source & Software Supply Chain Risks [09:55, 87:24]

Attackers are increasingly targeting software repositories and dependency chains (PyPI, NPM, Dockerhub, GitHub Actions).
The trade-off of convenience for security remains unresolved, especially with the lure of “free,” quick integration.
“It’s the easy attacks that a much greater percentage of hackers can jump on.” —Steve [04:53]

4. California’s Age Verification Law: Why the Linux Community is Exploding [15:20–53:21]

New law (AB 1043) will require OSes and app stores in California to prompt for a user’s age bracket during setup, sharing it with apps/websites via API.
Pushback from the Linux and open-source communities: “There’s no way to enforce it...It’s not even clear how they would know.” —Leo [32:25]
Apple and Google are reluctant but moving in the direction of device-based age signaling.
Reason Foundation and other analysts point out the privacy advantages of bracketed, self-reported age (versus hard ID), but warn about possible loss of parental agency and privacy erosion if the move is not opt-in.
“Age assurance need not come at the expense of privacy or parental autonomy.” —Reason Foundation [45:08]

5. Apple's and Reddit’s Responses to Age Verification and Bots [56:21–71:13, 95:59–109:37]

Apple, complying with UK and South Korea law, rolls out intrusive age verification for Apple IDs (credit card or ID photos).
Reddit faces rapid bot proliferation (at least 1 in 7 posts now AI-generated) and may turn to biometric verification (FaceID/TouchID) to stem the tide. Discord and others are already doing this for age gating, at the risk of privacy and undermining anonymity.
AI detectors are unreliable; community outrage is mounting.
“This is a problem that has no solution.” —Steve [107:18]
“Reddit users are not happy...This kills Reddit if you start requiring people to de-anonymize themselves.” —Leo [106:23]
“We want to be able to say what we want to say without being held personally responsible.” —Steve [108:44]

6. Click Fix—A Rampant Social Engineering Technique [90:14, 95:59]

“Click Fix” social engineering (fake browser / system messages coaxing users to paste malware into Terminal/Run dialogs) is now responsible for more than half of observed breaches.
Apple’s prompt solution: In macOS 26.4, pasting suspicious code into Terminal now triggers a warning dialog: “Possible malware paste blocked.”
“It would sure be nice if Windows 11 users could have this simple exploit prevented by Microsoft caring, which is all it takes—a little bit of care from Microsoft, as Apple has just demonstrated.” —Steve [97:05]

7. Russia’s "Patriotic" Encryption Standards—A Market Suicide [61:26–67:27]

Russia aims to enforce a proprietary national encryption (NEA 7) in all post-2032 phones and 5G networks, breaking international compatibility.
No big vendors are likely to support this; market isolation and inferior technology are the likely outcome.
“One of the most important lessons taught by the Industrial Revolution is the incredible power that comes from standardization.” —Steve [63:23]

8. AI Disrupting SaaS: The Rise of “Vibe Coding” [74:18–87:20]

“Vibe coding” = software produced by AI with minimal human input, threatening to replace commercial SaaS tools with in-house, AI-generated options.
Security professionals warn that, without focus, this could lead to more insecure, unmaintainable bespoke apps, turning "security-by-hope" into a systemic risk.
“Security will truly be sacrificed at the altar of economics.” —Steve [84:37]

9. Quantum Threats: Moving the "Q-Day" Timeline [69:01–74:18]

Google thinks the quantum computing threat for practical codebreaking may arrive as early as 2029 (so-called “Q-Day” accelerated).
Most analysts (and Steve) are skeptical, seeing the threat as still distant, but recommend moving ahead with post-quantum cryptography “just in case.”

Notable Quotes & Memorable Moments

On the LiteLLM Supply Chain Disaster:
- “This is a classic supply chain attack…essentially, we’re hoping for the best because the goodies are just too enticing for us to resist. Or phrased another way, the cost to us today of deploying truly secure solutions prices them out of reach, rendering them impractical.” —Steve [1:58:59]
On Unsolvable Problems:
- “We have an undetectable bot problem.…This is a problem that has no solution. And I don’t say that often.” —Steve [105:15, 107:18]
On the Fragility of Trust:
- “This case highlights the risk of building an entire ecosystem on top of fragile trust.…Security is not an afterthought.” —Trend Micro quoted by Steve [1:57:00]
On California's Law:
- “No Linux users want a nosy government to have its mitts on their beloved independent open-source operating system!” —Steve [18:09]
On Automation Gone Wrong:
- “It’s not just the packages, it’s also automation.…If you’re automating to that degree and you’re not paying attention, well, some real risk.” —Leo [159:56]

Timestamps of Major Segments

00:00 - Opening; RSAC 2026 recap & Marcus Hutchins anecdote
02:34 - The modern AI “agentic era” and defensive AI
09:34 - Teaser: The LiteLLM attack & threat of supply chain attacks
15:20 - Picture of the Week (hilarious plug hack)
18:09 – New California Age Verification Law: Community outrage
32:25 – Can Linux distros comply? (and the enforcement conundrum)
45:08 – Reason Foundation analysis: Privacy, parental agency, opt-in
56:21 – Apple age verification goes live in UK/Korea
61:26 – Russia’s 5G encryption boondoggle
67:27 – Ukraine outsmarts Russian spy thermostat
69:01 – Quantum crypto threat - Google’s prediction
74:18 – UK NCSC warning: AI-produced "Vibe Coding" and SaaS
87:24 – Dependency pinning as a partial solution
90:14 – Click Fix: Social engineering and Apple’s new Terminal dialog
95:59 – Click Fix now half of all security breaches; Windows lagging
104:42 – Reddit bot crisis; biometric verification debate
113:58 – LiteLLM Deep Dive starts: What it does, why it's popular, path to mass compromise
119:19 – Anatomy of the LiteLLM exploit: McMahon’s discovery
131:09 – Dependency chains, “unpinning,” and the fork bomb error
139:04 – Trend Micro analysis: Trivy as initial vector, CI/CD pitfalls
158:12 – The dodged bullet: What could have happened
159:56 – Generalizing the risk: Automation, open-source trust, and future exposures

Practical Takeaways

Dependency Management:
- Pin all dependencies whenever possible; use lock files with checksums.
- Regularly audit dependencies and CI/CD pipeline configuration.
Secret Hygiene:
- Don’t store secrets in plain .env files or unprotected local paths.
Automation Vigilance:
- Automated deployments (CI/CD) are double-edged—monitor and secure them closely.
Behavioral Hardening:
- For social engineering, reinforce IT controls (e.g., disabling the Run dialog in Windows when possible, constraining scripting interfaces).
AI Tools (Vibe Coding):
- Ensure stringent review and testing; don’t trust AI-generated code without auditing.

Final Thoughts

Next Episode: More on the evolving threat landscape as Steve and Leo keep watch over the agentic era.

wavePod

Security Now 1072: LiteLLM

Summary

Security Now 1072: LiteLLM

Episode Overview

Key Discussion Points & Insights

1. Live from RSAC 2026: The Security Climate

2. LiteLLM Supply Chain Attack: Anatomy of a Near-Disaster [~09:34 & Deep Dive at 1:13:58]

3. Broader Open-Source & Software Supply Chain Risks [09:55, 87:24]

4. California’s Age Verification Law: Why the Linux Community is Exploding [15:20–53:21]

5. Apple's and Reddit’s Responses to Age Verification and Bots [56:21–71:13, 95:59–109:37]

6. Click Fix—A Rampant Social Engineering Technique [90:14, 95:59]

7. Russia’s "Patriotic" Encryption Standards—A Market Suicide [61:26–67:27]

8. AI Disrupting SaaS: The Rise of “Vibe Coding” [74:18–87:20]

9. Quantum Threats: Moving the "Q-Day" Timeline [69:01–74:18]

Notable Quotes & Memorable Moments

Timestamps of Major Segments

Practical Takeaways

Final Thoughts

Summary

Security Now 1072: LiteLLM

Episode Overview

Key Discussion Points & Insights

1. Live from RSAC 2026: The Security Climate

2. LiteLLM Supply Chain Attack: Anatomy of a Near-Disaster [~09:34 & Deep Dive at 1:13:58]

3. Broader Open-Source & Software Supply Chain Risks [09:55, 87:24]

4. California’s Age Verification Law: Why the Linux Community is Exploding [15:20–53:21]

5. Apple's and Reddit’s Responses to Age Verification and Bots [56:21–71:13, 95:59–109:37]

6. Click Fix—A Rampant Social Engineering Technique [90:14, 95:59]

7. Russia’s "Patriotic" Encryption Standards—A Market Suicide [61:26–67:27]

8. AI Disrupting SaaS: The Rise of “Vibe Coding” [74:18–87:20]

9. Quantum Threats: Moving the "Q-Day" Timeline [69:01–74:18]

Notable Quotes & Memorable Moments

Timestamps of Major Segments

Practical Takeaways

Final Thoughts