Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise '-------------------------------------- INDICATORS OF COMPROMISE Type Indicator Description Detection C2 URL hxxps[://]models[.]litellm[.]cloud/ Data exfiltration endpoint 91. C&C Server C2 URL hxxps[://]checkmarx[.]zone/raw Persistent backdoor polling endpoint 79. Disease Vector C2 URL 46[.]151[.]182[.]203 model[.]litellm[.]cloud 79. Disease Vector C2 Url 83[.]142[.]209.11 checkmarx[.]zone 79. Disease Vector .pth file 2d94efc6d49e05b314a9da55804f6a0d57154b18 litellm_init.pth (v1.82.8) TrojanSpy.Python.TPCPSTEAL.A Compromised LiteLLM python script 9e7587b990ae57319a6afedeba3b8873f6238206 proxy_server.py (v1.82.7) TrojanSpy.Python.TPCPSTEAL.A Python Script 3af9a3c6983f6f18261a1c410541502d0f2bc864 sysmon.py Backdoor.Python.CANISTERWORM.A Compromised LiteLLM package 3fcc7360a2738ad2656e17c7d4ed3e651ff7d73a litellm-1.82.8.whl Trojan.Python.MALPYLOADER.A Compromised LiteLLM package da466d3c630d6bfea0c5b82d6cad388e443dbe92 litellm-1.82.8.tar.gz Trojan.Python.MALPYLOADER.A Compromised LiteLLM package 78cd382040eda14e2f8a17ee7387cffdabe96ab5 litellm-1.82.7.whl Trojan.Python.PYSTEALER.A Compromised LiteLLM package b20aa5b6c1f01117993287edad462cc49f588b39 litellm-1.82.7.tar.gz Trojan.Python.PYSTEALER.A File Path ~/.config/sysmon/sysmon.py Persistence backdoor script Systemd Service sysmon.service "System Telemetry Service" File Path /tmp/pglog Downloaded second-stage payload File Path /tmp/.pg_state C2 URL deduplication state file K8s Pod Name node-setup-* Lateral movement pods in kube-system ns Archive Name tpcp.tar.gz Encrypted exfiltration bundle -------------------------------------- TRIVY-RELATED COMPROMISE INDICATORS scan[.]aquasecurtiy[.]org C2 Trivy phase (typosquat) 79. Disease Vector 45[.]148[.]10[.]212 TECHOFF SRV LIMITED, Amsterdam 91. Disease Vector hxxps[://]tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io/ ICP canister C2 (denylisted Mar 22) 91 - C&C Server e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b CanisterWorm index.js Wave 1 [SHA-256] Trojan.JS.CANISTERWORM.A 61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba CanisterWorm index.js Wave 2 [SHA-256] Backdoor.JS.CANISTERWORM.A 0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a CanisterWorm index.js Wave 3 [SHA-256] Worm.JS.CANISTERWORM.A c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926 CanisterWorm index.js Wave 4 [SHA-256] Worm.JS.CANISTERWORM.A f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152 CanisterWorm deploy.js Wave 1 [SHA-256] Trojan.JS.CANISTERWORM.A 7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7 CanisterWorm deploy.js Wave 2 [SHA-256] Trojan.JS.CANISTERWORM.A 5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956 CanisterWorm deploy.js Wave 3+ [SHA-256] Trojan.JS.CANISTERWORM.A 822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0 Trivy v0.69.4 Linux-64bit [SHA-256] e64e152afe2c722d750f10259626f357cdea40420c5eedace37969fbf13abbecf Trivy v0.69.4 Linux-ARM64 [SHA-256](Cannot be sourced) 0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349 Trivy v0.69.4 Windows-64bit [SHA-256] f69a8a4180c43fc427532ddde34a256acbd041a0a07844cf7e4d3e0434e5bcd1 Docker aquasec/trivy:0.69.5 [SHA-256](Cannot be sourced) dd8beb3b40df080b3fd7f9a0f5a1b02f3692f65c68980f46da8328ce8bb788ef Docker aquasec/trivy:0.69.6 [SHA-256](Cannot be sourced) plug-tab-protective-relay[.]trycloudflare[.]com Cloudflare Tunnel C2 — Trivy exfil 91 - C&C Server souls-entire-defined-routes[.]trycloudflare[.]com Cloudflare Tunnel C2 — CanisterWorm v1 91 - C&C Server investigation-launches-hearings-copying[.]trycloudflare[.]com Cloudflare Tunnel C2 — kamikaze v2 91 - C&C Server championships-peoples-point-cassette[.]trycloudflare[.]com Cloudflare Tunnel C2 — kamikaze v3 91 - C&C Server create-sensitivity-grad-sequence[.]trycloudflare[.]com Cloudflare Tunnel C2 — kamikaze v3.2+ 91 - C&C Server