Hi everyone,
It was recently discovered that the litellm package (v1.82.8) was compromised with a malicious .pth file that could steal SSH keys, environment variables, and other credentials without requiring an explicit import. Anybody who has installed this package has likely been compromised and needs to respond accordingly.
I was wondering if the Julia package registry doing anything to prevent similar issues? Someone here proposed that static analysis (to catch obfuscated code or leaked keys) could be used to automatically audits the code.
Credential compromises are brutal, and these attacks compromised yet more credentials. One somewhat-unique (but not the only) vector here was that PyPI allows the uploads of new .whls to old releases. Julia’s artifacts, on the other hand, are intrinsically tied to each registered release and must be created before registration.
But once credentials are compromised, sophisticated attackers have demonstrated the capability to evade many detection systems. That’s not to say there isn’t more that can be done here; defense-in-depth is vital. Check out RegistryCI.jl for some ideas around more checks here.
TL;DR: A trivy developer’s credentials were compromised. This was used to compromise the GitHub action plugin trivy-action used by many GitHub repositories. The malicious action payload exfiltrated repository secrets, used to compromise yet more developers/packages through API keys and such. The credentials of LiteLLM’s developer(s) were compromised in this manner, which were then used to publish malicious versions of the package and steal yet more credentials. The attack sophistication decreased (but breadth increased) as it went farther along; the LiteLLM payload was a smash-and-grab.
N.b., immediately upon notification I searched my (and my orgs’ and big Julia orgs’) repositories for trivy-action as best as GitHub search allows; fortunately I did not find any repositories impacted by the initial trivy compromise. I encourage folks here to do the same.