Summary
The gemini/evaluation/synthetic-data-evals/pyproject.toml file specifies litellm>=1.61.9 with no upper bound.
liteLLM versions 1.82.7 and 1.82.8 were compromised by the TeamPCP group via a supply chain attack through Trivy. Any pip install during the attack window (2026-03-23 to 2026-03-24) would have pulled the malicious version.
Impact
The compromised versions steal sensitive credentials including SSH keys, AWS/GCP/K8s credentials, CI/CD tokens, and environment variables. Version 1.82.8 installs a .pth persistence mechanism that executes on every Python startup — even after liteLLM is uninstalled.
Suggested Fix
- "litellm>=1.61.9",
+ "litellm>=1.61.9, <=1.82.6",
Note: google/adk-python already applied this fix on 2026-03-24 (commit 77f1c41b).
I attempted to submit a PR but this repository limits PRs to collaborators only. The fix branch is available at: gn00295120:fix/pin-litellm-supply-chain
References
Summary
The
gemini/evaluation/synthetic-data-evals/pyproject.tomlfile specifieslitellm>=1.61.9with no upper bound.liteLLM versions 1.82.7 and 1.82.8 were compromised by the TeamPCP group via a supply chain attack through Trivy. Any
pip installduring the attack window (2026-03-23 to 2026-03-24) would have pulled the malicious version.Impact
The compromised versions steal sensitive credentials including SSH keys, AWS/GCP/K8s credentials, CI/CD tokens, and environment variables. Version 1.82.8 installs a
.pthpersistence mechanism that executes on every Python startup — even after liteLLM is uninstalled.Suggested Fix
Note:
google/adk-pythonalready applied this fix on 2026-03-24 (commit77f1c41b).I attempted to submit a PR but this repository limits PRs to collaborators only. The fix branch is available at:
gn00295120:fix/pin-litellm-supply-chainReferences