In this episode of BHIS Presents: AI Security Ops, the team breaks down the LiteLLM supply chain compromise–a real-world attack that shows how AI systems are being breached through the same old software supply chain weaknesses.

What initially looked like a bad release quickly escalated into a full-scale compromise affecting a library downloaded millions of times per day. But LiteLLM wasn’t the starting point–it was just one link in a much larger attack chain involving compromised security tools, CI/CD pipelines, and stolen publishing credentials.

The result? Malicious packages distributed at scale, harvesting secrets, enabling lateral movement, and establishing persistence across affected systems.

We dig into:
• What LiteLLM is and why it’s such a high-value target
• How the attack chain started with compromised security tooling (Trivy, Checkmarx)
• How unpinned dependencies enabled the compromise
• The role of CI/CD pipelines in exposing sensitive credentials
• What the malicious LiteLLM packages actually did (credential harvesting, persistence, lateral movement)
• The scale of impact given LiteLLM’s widespread adoption
• Why supply chain attacks are no longer theoretical–and no longer nation-state exclusive
• How AI is lowering the barrier to entry for attackers
• Why this wasn’t really an “AI vulnerability”–but an infrastructure failure
• The growing risk of automated, agent-driven attack discovery

This episode highlights a critical reality: the biggest risks in AI systems aren’t always in the models–they’re in the pipelines, dependencies, and infrastructure surrounding them.

⸻

📚 Key Concepts & Topics

Supply Chain Security
• Dependency poisoning and malicious package distribution
• CI/CD pipeline compromise
• Version pinning and build integrity

Credential & Secrets Exposure
• API keys, SSH keys, and cloud credentials in pipelines
• Risks of centralized AI gateways like LiteLLM

Threat Actor Techniques
• Tag rewriting and trusted reference hijacking
• Multi-stage malware (harvest, lateral movement, persistence)
• Use of lookalike domains for exfiltration

AI & Security Reality Check
• AI as an amplifier, not the root vulnerability
• Traditional security failures in modern AI stacks
• Automation lowering attacker barriers

Defensive Strategies
• Dependency pinning and isolation (Docker, VPS)
• Atomic credential rotation
• Treating CI/CD tools as critical infrastructure
• Monitoring outbound traffic from build environments

• (00:00) - Intro & Incident Overview
• (01:26) - What Is LiteLLM & Why It Matters
• (03:53) - Supply Chain Scope & Why This Is Dangerous
• (07:31) - Why These Attacks Are Getting Easier (AI + Scale)
• (10:48) - Attack Chain Breakdown (Trivy → Checkmarx → LiteLLM)
• (11:50) - What the Malware Did & Impact at Scale
• (14:23) - Detection, Response & Who Was Safe

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits
https://poweredbybhis.com

Click here to view the episode transcript.