LiteLLM Was Poisoned. Here's What It Reveals About AI Tool Supply Chains.

Yesterday, LiteLLM — the Python library that unifies LLM API calls across providers — was compromised. 40,000 GitHub stars. 95 million monthly downloads. 2,000+ dependent packages including DSPy, MLflow, and Open Interpreter. Versions 1.82.7 and 1.82.8 contained a credential harvester. One pip install was all it took. This isn't a story about one package getting hacked. It's a story about why the entire Python package ecosystem's trust model is fundamentally broken for AI agent infrastructure — and what a real defense looks like. What Happened The attack was a four-step supply chain cascade: Step 1 (March 19): Trivy v0.69.4 was poisoned. Trivy is Aqua Security's open-source vulnerability scanner — a tool designed to protect you. The threat actor TeamPCP injected a credential stealer into it. Step 2 (March 23): LiteLLM's CI pipeline ran the compromised Trivy to scan its own code for vulnerabilities. During this "security scan," Trivy silently exfiltrated the maintainer's PYPI_PUBLISH_PA