The LiteLLM Fork Bomb Was an Accident. That's the Scary Part.

On March 25, 2026, Callum McMahon at futuresearch.ai published a minute-by-minute incident transcript of his team's response to the LiteLLM supply chain compromise. It's excellent — technically precise, honest about where Claude initially misdiagnosed the incident, and worth reading in full. But buried in the timeline is something that changes how you should think about credential security for AI agents. The fork bomb was an accident. What the Transcript Reveals The attack vector was litellm_init.pth , a Python .pth file embedded in the compromised package. Python's .pth mechanism executes code at interpreter startup, before any import. This is how the credential harvest began before the application ran a single line. The harvester's job was straightforward: collect environment variables, SSH keys, AWS credentials, Kubernetes configs, crypto wallet files, shell history — encrypt everything and POST to models.litellm.cloud . Then something went wrong. From the transcript: The .pth file