Yesterday the United States government banned all non-US produced computer networking equipment from the United States over security concerns.
Network stuff currently in use can stay, however moving forward they must be produced in the United States or be given special approval ... or stop selling in the United States.
Network stuff currently in use can stay, however moving forward they must be produced in the United States or be given special approval ... or stop selling in the United States.
π€£116π€―18π₯°12π8β€3π2π«‘2
vx-underground
Yesterday the United States government banned all non-US produced computer networking equipment from the United States over security concerns. Network stuff currently in use can stay, however moving forward they must be produced in the United States or beβ¦
The Verge
The US government just banned consumer routers made outside the US
You can keep using your existing router.
π₯°41π€£25π13π’6β€4π₯1
Whoa whoa whoa. Everyone CLAM down for a second.
Earlier today someone broke the news that there was a supply chain attack impacting LiteLLM which had over 97 MILLION installs. Initially it was reported the payload was vibe coded which resulted in the payload failing.
HOWEVER, this has been determined to be NOT TRUE. The payload was a SUCCESS. The payload failed in specific edge cases (currently unknown). The Threat Actor(s) managed to exfiltrate data from 500,000 infected machines (approx. 300gb of data).
I have confirmed this from three different sources. The initially news which is spreading all over social media is incorrect and this is actually a very big bamboozle.
They had one short, one opportunity, and did indeed seize it (but only failing in specific and unknown edge cases).
It's all over for LLM-dependency nerds. Also, in a bit of irony, LiteLLM is SOC2 certified by Delve.
This is very big shenanigans for a Tuesday.
Earlier today someone broke the news that there was a supply chain attack impacting LiteLLM which had over 97 MILLION installs. Initially it was reported the payload was vibe coded which resulted in the payload failing.
HOWEVER, this has been determined to be NOT TRUE. The payload was a SUCCESS. The payload failed in specific edge cases (currently unknown). The Threat Actor(s) managed to exfiltrate data from 500,000 infected machines (approx. 300gb of data).
I have confirmed this from three different sources. The initially news which is spreading all over social media is incorrect and this is actually a very big bamboozle.
They had one short, one opportunity, and did indeed seize it (but only failing in specific and unknown edge cases).
It's all over for LLM-dependency nerds. Also, in a bit of irony, LiteLLM is SOC2 certified by Delve.
This is very big shenanigans for a Tuesday.
β€55π€16π€£14π«‘8π₯5π±2π1π₯°1π1
vx-underground
Whoa whoa whoa. Everyone CLAM down for a second. Earlier today someone broke the news that there was a supply chain attack impacting LiteLLM which had over 97 MILLION installs. Initially it was reported the payload was vibe coded which resulted in the payloadβ¦
> malware analyst goes on x
> says supply chain attack failed
> everyone calms down
> supply chain was actually a success
> panic intensified by 150%
> says supply chain attack failed
> everyone calms down
> supply chain was actually a success
> panic intensified by 150%
π€£90π«‘10π7β€3π€3π±2π₯°1
Chat, I'll tell you one thing right now, this LiteLLM supply-chain attack is one big stinky mess.
No information has been released publicly (yet) on vendors impacted, but the stink I've been sniffing suggests this is very serious shenanigans and DFIR nerds are not happy
No information has been released publicly (yet) on vendors impacted, but the stink I've been sniffing suggests this is very serious shenanigans and DFIR nerds are not happy
π€60π12π«‘10β€3π3π₯°1
People asking me for the anime lore on this LiteLLM compromise.
I'll do it tomorrow. It's got some filler episodes, but they're still lowkey important for later references.
The first episode is kind of cool, it slows down, but then toward the end of the anime it gets crazy.
In extreme summary, nerds compromised a thingie, used it to compromise other thingies, used that to compromise other thingies, then did the big thingie with LiteLLM
It's a big cluster fuck because now you're like, what did they steal? Do they have access to anything else? How long is season 1 of this anime? It's wild stuff
I'll do it tomorrow. It's got some filler episodes, but they're still lowkey important for later references.
The first episode is kind of cool, it slows down, but then toward the end of the anime it gets crazy.
In extreme summary, nerds compromised a thingie, used it to compromise other thingies, used that to compromise other thingies, then did the big thingie with LiteLLM
It's a big cluster fuck because now you're like, what did they steal? Do they have access to anything else? How long is season 1 of this anime? It's wild stuff
π₯°41β€17π₯12π7
The LiteLLM supply chain attack is big shenanigans. I have to explain the whole thingie though so you can get the full context of the shenanigans. TeamPCP (the people who probably did it) is unironically swinging a big ass fuck off baseball bat, they're swinging for the moon.
tl;dr see picture of cat as summary
I also want to preface this with I DID NOT PERFORM THIS ANALYSIS. I almost never do open-source solutions malware stuff and this is also more in the line of work with DFIR (Digital Forensics and Incident Response). This summary comes from various peers and colleagues of mine who have been discussing TeamPCP the past couple of days.
DFIR nerds I sourced:
- ramimacisabird
- InsiderPhD
Non DFIR nerds I sourced:
- IceSolst
- IntCyberDigest
Yeah, so pretty much this group of nerds named TeamPCP bamboozled an open-source security product called Trivy. TeamPCP sent a pull request on GitHub but did it with "pull_request_target".
Normally a pull request isn't a big deal. Nerds do it all the time. "pull_request_target" though is designed to copy secrets, tokens, etc. pull_request_target is a legit thing. People do it all the time. It should only be performed by people you trust. TeamPCP impersonated a legitimate GitHub contributor.
Trivy was caught slippin'. When TeamPCP did pull_request_target they stole access tokens to a place called Aqua Security.
Aqua Security was like, "lol gosh dang it" and did what you were supposed to do. They rotated access tokens and passwords and stuff. However, Aqua made an oopsie and forgot to rotate the stuff for one of their automation bots.
Once TeamPCP had access they injected malicious code which steal environment variables, SSH keys, cloud credentials, cryptotokens, etc into three things.
- Trivy
- Trivy GitHub actions
- Trivy Docker stuff
As is tradition, once TeamPCP put malware into Trivy stuff, anyone who did anything with Trivy was given malware. TeamPCP got a metric poop ton of stolen data and began using it to move to NPM projects. The projects they infected next was infected with a malware people named "CanisterWorm".
In extreme summary, CanisterWorm placed stuff in package.json from the infected NPM project. Every new infected NPM project would download malware to the machine that (unsurprisingly) stole your data.
TeamPCP seems to have been inspired by the North Korean government, or ALPHV ransomware group, because instead of stealing data to their server they store it on the blockchain ... making it virtually impossible to takedown.
LiteLLM takes place somewhere between Trivy and CanisterWorm. As of this writing the exact way TeamPCP got access to LiteLLM is unknown, however it's heavily speculated it is from Trivy. TeamPCP also stated very bluntly they got access from Trivy but ... they could also be lying. This may come as a surprise, but sometimes criminals lie to cover their tracks.
LiteLLM infection though was a few more degrees amplified than the previous stuff. LiteLLM infection also attempts lateral movement by automating Kubernetes stuff. LiteLLM infection also steals a ton more data than previous stuff. Here is the big ass list of stuff it steals:
- SSH keys
- AWS credentials and configurations
- GCP credentials and configurations
- Azure environment variables
- Kubernetes credentials and configurations
- Environment configurations
- Shell History
- Git credentials and configurations
- Docker credentials and configurations
- Database instances
- IaC / CI/DI
- SSL private keys
- Solana keys
- Crypto wallets
- VPN credentials and configurations
- Hashicorp vault (?)
- NPM configurations
- SMTP credentials
TeamPCP is unironically putting in big moves. What makes them unusual is how profoundly aggressive they are. It isn't uncommon for Threat Actors to attempt things like this, but TeamPCP is doing something more akin to "smash and grab" rather than "stay silent and watch".
tl;dr see picture of cat as summary
I also want to preface this with I DID NOT PERFORM THIS ANALYSIS. I almost never do open-source solutions malware stuff and this is also more in the line of work with DFIR (Digital Forensics and Incident Response). This summary comes from various peers and colleagues of mine who have been discussing TeamPCP the past couple of days.
DFIR nerds I sourced:
- ramimacisabird
- InsiderPhD
Non DFIR nerds I sourced:
- IceSolst
- IntCyberDigest
Yeah, so pretty much this group of nerds named TeamPCP bamboozled an open-source security product called Trivy. TeamPCP sent a pull request on GitHub but did it with "pull_request_target".
Normally a pull request isn't a big deal. Nerds do it all the time. "pull_request_target" though is designed to copy secrets, tokens, etc. pull_request_target is a legit thing. People do it all the time. It should only be performed by people you trust. TeamPCP impersonated a legitimate GitHub contributor.
Trivy was caught slippin'. When TeamPCP did pull_request_target they stole access tokens to a place called Aqua Security.
Aqua Security was like, "lol gosh dang it" and did what you were supposed to do. They rotated access tokens and passwords and stuff. However, Aqua made an oopsie and forgot to rotate the stuff for one of their automation bots.
Once TeamPCP had access they injected malicious code which steal environment variables, SSH keys, cloud credentials, cryptotokens, etc into three things.
- Trivy
- Trivy GitHub actions
- Trivy Docker stuff
As is tradition, once TeamPCP put malware into Trivy stuff, anyone who did anything with Trivy was given malware. TeamPCP got a metric poop ton of stolen data and began using it to move to NPM projects. The projects they infected next was infected with a malware people named "CanisterWorm".
In extreme summary, CanisterWorm placed stuff in package.json from the infected NPM project. Every new infected NPM project would download malware to the machine that (unsurprisingly) stole your data.
TeamPCP seems to have been inspired by the North Korean government, or ALPHV ransomware group, because instead of stealing data to their server they store it on the blockchain ... making it virtually impossible to takedown.
LiteLLM takes place somewhere between Trivy and CanisterWorm. As of this writing the exact way TeamPCP got access to LiteLLM is unknown, however it's heavily speculated it is from Trivy. TeamPCP also stated very bluntly they got access from Trivy but ... they could also be lying. This may come as a surprise, but sometimes criminals lie to cover their tracks.
LiteLLM infection though was a few more degrees amplified than the previous stuff. LiteLLM infection also attempts lateral movement by automating Kubernetes stuff. LiteLLM infection also steals a ton more data than previous stuff. Here is the big ass list of stuff it steals:
- SSH keys
- AWS credentials and configurations
- GCP credentials and configurations
- Azure environment variables
- Kubernetes credentials and configurations
- Environment configurations
- Shell History
- Git credentials and configurations
- Docker credentials and configurations
- Database instances
- IaC / CI/DI
- SSL private keys
- Solana keys
- Crypto wallets
- VPN credentials and configurations
- Hashicorp vault (?)
- NPM configurations
- SMTP credentials
TeamPCP is unironically putting in big moves. What makes them unusual is how profoundly aggressive they are. It isn't uncommon for Threat Actors to attempt things like this, but TeamPCP is doing something more akin to "smash and grab" rather than "stay silent and watch".
π₯°35β€14π₯8π±4
vx-underground
The LiteLLM supply chain attack is big shenanigans. I have to explain the whole thingie though so you can get the full context of the shenanigans. TeamPCP (the people who probably did it) is unironically swinging a big ass fuck off baseball bat, they're swingingβ¦
tl;dr
β€52π₯°16π8π₯5π1
Someone also made a video if you're lazy and don't want to read
https://www.youtube.com/watch?v=i9o4aWxAnLk
https://www.youtube.com/watch?v=i9o4aWxAnLk
YouTube
LiteLLM hack: Big brain target for hackers
LiteLLM hack summary: What is it, why it's smart to target it, and how it happened (so far).
GitHub Issue: https://github.com/BerriAI/litellm/issues/24512
Thread on cursed orange site: https://news.ycombinator.com/item?id=47501729
Original blog post: β¦
GitHub Issue: https://github.com/BerriAI/litellm/issues/24512
Thread on cursed orange site: https://news.ycombinator.com/item?id=47501729
Original blog post: β¦
π₯°17π8β€6