SN 1072: LiteLLM - Click Fix Attacks Surge
Steve Gibson and Leo Laporte discuss the LiteLLM PyPI exploit, a sophisticated supply chain attack that infected the popular AI proxy service with credential-stealing malware. The attack, executed by Team PCP, exploited a compromised security scanner (Trivy) to inject malware that would have affected 3.4 million daily downloads, but was caught due to a coding error that caused systems to crash.
Summary
This episode of Security Now covers a major supply chain attack targeting LiteLLM, a popular Python package that serves as a unified gateway to multiple large language model APIs. The attack was part of a broader campaign by Team PCP, a sophisticated threat group that first compromised Trivy, an open-source vulnerability scanner. Through a misconfigured CI/CD pipeline and atomic credential rotation failures, the attackers gained access to publishing keys and injected malware into LiteLLM versions 1.82.7 and 1.82.8. The malware was designed to steal credentials, SSH keys, Kubernetes secrets, and other sensitive data from infected systems. Fortunately, the attackers made a critical error in their code that caused it to create a fork bomb, crashing systems immediately and alerting users like Callum McMahon to the compromise. The episode also covers California's Digital Age Assurance Act requiring age verification in operating systems, Apple's implementation of age verification in UK and South Korea, Russia's plan to use custom 5G encryption, Google moving the quantum computing threat timeline to 2029, warnings about 'vibe-coded' software as a service replacements, continued ClickFix campaign proliferation (with Apple implementing protections that Microsoft refuses to add), and Reddit's growing AI bot problem requiring potential biometric verification. The show emphasizes how this supply chain attack represents the fragile trust ecosystem that modern software development has created, where convenience is prioritized over security.
About this episode
<p>An explosive supply chain hack in Light LLM nearly unleashed catastrophic malware across millions of AI systems, and it took a coder's quick thinking to catch it before it snowballed into disaster.</p><ul> <li>Will California require Linux to verify its user's age.</li> <li>Apple's iOS 26.4 requires UK users to prove their age.</li> <li>Russia chooses to use home grown 5G mobile encryption.</li> <li>Ukraine knew the webcam was installed by Russian spies.</li> <li>Google moves quantum computing "Q Day" to 2029.</li> <li>At RSA, UK's NCSC CEO warns of vibe-coded SaaS replacements.</li> <li>More information about nasty ClickFix campaigns.</li> <li>More than one in seven Reddit postings are an AI-bot.</li> <li>The story behind the LiteLLM disaster that was averted.</li></ul> <p>Show Notes - <a href="https://www.grc.com/sn/SN-1072-Notes.pdf">https://www.grc.com/sn/SN-1072-Notes.pdf</a></p> <p><strong>Hosts:</strong> <a href="https://twit.tv/people/steve-gibson">Steve Gibson</a> and <a href="https://twit.tv/people/leo-laporte">Leo Laporte</a></p> <p>Download or subscribe to <em>Security Now</em> at <a href="https://twit.tv/shows/security-now">https://twit.tv/shows/security-now</a>.</p> <p>You can submit a question to <em>Security Now</em> at the <a href="https://www.grc.com/feedback.htm" target="_blank">GRC Feedback Page</a>.</p> <p>For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: <a href="https://www.grc.com/securitynow.htm" target="_blank">grc.com</a>, also the home of the best disk maintenance and recovery utility ever written <a href="https://www.grc.com/sr/spinrite.htm" target="_blank">Spinrite 6</a>.</p> <p><strong>Join Club TWiT for Ad-Free Podcasts!</strong><br /> Support what you love and get ad-free audio <em>and</em> video feeds, a members-only Discord, and exclusive content. Join today: <a href="https://twit.tv/clubtwit" rel="payment">https://twit.tv/clubtwit</a></p> <p><strong>Sponsors:</strong><ul> <li><a href="http://threatlocker.com/twit" rel="sponsored" target="_blank">threatlocker.com/twit</a></li> <li><a href="https://www.adaptivesecurity.com/?utm_source=podcast&utm_medium=other&utm_campaign=2026_NA_Podcast_security_now&utm_id=701Rd00000d9YqPIAU" rel="sponsored" target="_blank">adaptivesecurity.com</a></li> <li><a href="http://guardsquare.com" rel="sponsored" target="_blank">guardsquare.com</a></li> <li><a href="http://meter.com/securitynow" rel="sponsored" target="_blank">meter.com/securitynow</a></li> </ul></p>
Key Insights
- Team PCP executed one of the most sophisticated multi-ecosystem supply chain attacks by first compromising Trivy security scanner, then using those credentials to inject malware into LiteLLM
- The LiteLLM malware was designed to steal over 50 categories of secrets including cloud credentials, SSH keys, and Kubernetes tokens from infected systems
- A coding error by the attackers created a fork bomb that crashed systems immediately, preventing the malware from operating stealthily as intended
- 47,000 downloads occurred in 46 minutes before the malicious LiteLLM versions were discovered and quarantined, but the attack could have affected 3.4 million daily downloads
- The attack demonstrates that security scanners themselves have become high-value targets because they require broad access to scan environments
- California's AB 1043 requires operating system providers to implement age verification APIs, but the law relies on self-reported ages rather than ID verification
- Apple has implemented terminal paste protection in macOS 26.4 to block ClickFix attacks, while Microsoft continues to refuse similar protections for Windows
- Google has moved the quantum computing threat timeline to 2029, accelerating post-quantum cryptography deployment across their products
- AI-powered 'vibe coding' threatens the software-as-a-service industry by enabling rapid development of in-house alternatives to expensive subscription services
- Reddit faces an existential threat from AI bots, with roughly 15% of posts now AI-generated, forcing consideration of biometric verification requirements
- The supply chain attack originated from atomic operation failures during Aqua Security's credential rotation, allowing attackers to maintain persistence
- Modern software development creates fragile trust ecosystems where convenience consistently trumps security considerations
- Residential proxies make AI bot detection nearly impossible by IP address, as bots appear as legitimate users distributed globally
- The emergence of standardized age verification APIs could resolve VPN circumvention issues since user platforms, not IP addresses, would provide age signals
- Russia's plan to implement custom NEA-7 encryption for 5G networks will likely isolate Russian citizens with inferior hardware and incompatible global standards
Topics
Transcript
It's time for security now. Steve Gibson is here with a show about something that should send a chill into the heart of every coder. The nightmare PyPI exploit, LightLLM, will do a kind of deep dive onto what happened, how it happened, and what we can do to prevent it in the future. Plus, we'll talk about age verification on Linux, a good move from Apple on the ClixFix vulnerability, and is quantum computing moving closer? Steve has thoughts next on Security Now. Podcasts you love. From people you trust. This is Twit. This is Security Now. This is Security Now with Steve Gibson. Episode 1072, recorded Tuesday, March 31st, 2026. LightLLM. It's time for security now. I know,…
Full transcript available for MurmurCast members
Sign Up to AccessMore from Security Now (Audio)
SN 1086: The Apex Agentic Adversary - Visual Prompt Injection Strikes
Security Now episode 1086 covers Fable 5's degraded performance due to strict safety guardrails, Chrome 150's massive 433 security fixes, visual prompt injection attacks (Inkjet), and severe FATFS library vulnerabilities affecting millions of embedded devices. The episode explores how AI is transforming both offensive and defensive cybersecurity capabilities.
SN 1085: A SOTA State-Sponsored Campaign - AI's New Superpower: Loop Engineering
Security Now Episode 1085 covers Windows 10 receiving another year of extended support, Meta's employee surveillance program backfiring with exposed data, state-sponsored credential attacks on Fortinet devices affecting 86,000+ organizations globally, and AI's emerging capability to discover vulnerabilities at scale through iteration and looping techniques.
SN 1081: AI Captured the Flag - Personal AI: Productivity Superpower or Privacy Threat?
The podcast discusses the significant impact of AI on cybersecurity practices and Capture the Flag (CTF) competitions, noting a shift in the ability to solve challenges using AI tools. This transition raises concerns about the future of skill measurement in the cybersecurity field, as traditional CTF competitions are being undermined by AI's capabilities.
SN 1076: FAST16.SYS - Unmasking the NSA's Most Diabolical Digital Sabotage
Security Now episode 1076 covers the discovery of FAST16.SYS, a sophisticated NSA-linked kernel rootkit from 2005 that subtly corrupted physics and engineering calculation software — predating Stuxnet by five years. The episode also covers a Bitwarden CLI supply chain attack, Iranian router malfunctions before the US/Israeli strikes, Meta's employee activity logging for AI training, and Steve Gibson's GRC e-commerce system rewrite.
SN 1075: Yes. Exactly. - The Zero-Day Ticking Clock
Security Now episode 1075 discusses the growing threat of AI-powered vulnerability discovery, particularly Anthropic's Project Mythos, which Mozilla confirmed found 271 bugs in Firefox. The episode also covers a disgruntled researcher publishing Windows zero-days, Microsoft's record bug bounty payouts, and a formal industry-wide warning signed by top cybersecurity leaders urging immediate action.