This resembles an episode straight from the HBO satire on Silicon Valley. Recently, harmful malware was identified in an open-source project by Y Combinator alumni LiteLLM. LiteLLM offers developers easy access to various AI models and features like spend management. It’s a significant success, with downloads reaching up to 3.4 million daily, according to security experts like Snyk. The project had attained 40K stars on GitHub and numerous forks.
Research scientist Callum McMahon from FutureSearch, a firm providing AI agents for web research, uncovered, documented, and disclosed the malware. It infiltrated through a “dependency,” exploiting other open-source software depended on by LiteLLM. This malware then captured login credentials of everything it accessed, gaining access to even more open-source packages and accounts to gather more credentials. When McMahon downloaded LiteLLM, his system shut down, prompting him to investigate the issue. Ironically, a bug within the malware caused this shutdown, a sloppily designed code piece that McMahon and renowned AI researcher Andrej Karpathy noted seemed vibe coded.
This week, LiteLLM’s developers have worked diligently to address the issue, which was detected quickly, potentially within hours. However, another topic of discussion on X is LiteLLM’s website, where, as of March 25, the company displayed that it completed major security compliance certifications, SOC2 and ISO 27001, utilizing a startup called Delve.
Delve, a Y-Combinator AI-enabled compliance startup, has been accused of misleading customers about real compliance by producing fake data and employing auditors who rubber stamp reports. Delve has contested these claims. This raises a nuance in understanding: such certifications should demonstrate strong security policies to prevent incidents like this but don’t automatically protect against malware attacks. Even with SOC 2 covering software dependencies, malware can infiltrate.
As pointed out by engineer Gergely Orosz on X, “Oh damn, I thought this WAS a joke. … but no, LiteLLM *really* was ‘Secured by Delve.’”
LiteLLM CEO Krrish Dholakia didn’t comment on Delve’s involvement. He remains focused on resolving the situation after being subjected to the attack. “Our current priority is the active investigation alongside Mandiant. We are committed to sharing the technical lessons learned with the developer community once our forensic review is complete,” he told TechCrunch.