This week, a serious malware incident unfolded that feels like a plotline from a Silicon Valley satire. The target was LiteLLM, an open source project from a Y Combinator graduate that helps developers easily access hundreds of AI models and manage spending. The project is massively popular, with reports of up to 3.4 million downloads per day, 40,000 stars on GitHub, and thousands of forks.
The malware was discovered, documented, and disclosed by research scientist Callum McMahon of FutureSearch. It infiltrated LiteLLM through a software dependency, meaning another open source package that LiteLLM relies on. Once inside, it stole login credentials from everything it touched. Using those stolen credentials, the malware then gained access to more open source packages and accounts to harvest even more credentials, creating a dangerous chain reaction.
Ironically, a bug in the malware itself led to its discovery. The sloppy code caused McMahon’s machine to shut down after he downloaded LiteLLM, prompting his investigation. He and other experts, like famed AI researcher Andrej Karpathy, concluded the malware was so poorly designed it must have been “vibe coded.”
The LiteLLM developers have been working non-stop to rectify the situation. The good news is that the issue was caught relatively fast, likely within hours.
Another layer of this saga has people talking. As of recently, LiteLLM’s website still prominently displayed that it had passed two major security compliance certifications, SOC2 and ISO 27001. It obtained these certifications through a startup called Delve.
Delve is a Y Combinator AI-powered compliance startup that has been accused of misleading customers about their true compliance status by allegedly generating fake data and using auditors that rubber-stamp reports. Delve has denied these allegations.
There is an important point of nuance here. Such certifications are intended to show a company has strong security policies in place to limit the possibility of incidents. They do not automatically prevent a company from being hit by malware. While SOC 2 is supposed to cover policies surrounding software dependencies, malware can still slip through.
As for LiteLLM, CEO Krrish Dholakia had no comment on the use of Delve. The team is currently focused on cleaning up from the attack. Dholakia stated that their priority is an active investigation alongside Mandiant and that they are committed to sharing the technical lessons learned with the developer community once the forensic review is complete.