SECURITY: Do not upgrade litellm to 1.82.8 - compromised PyPI release

[starbaser]

⚠ LiteLLM 1.82.8 Supply Chain Compromise

LiteLLM PyPI release 1.82.8 contains a malicious litellm_init.pth that exfiltrates credentials and self-replicates.

Reference: BerriAI/litellm#24512

Status: ccproxy is not affected - pinned to <1.82.8 across all branches.

Action taken:

• Full system scan confirmed no instances of 1.82.8
• All branches pinned with litellm[proxy]>=1.13.0,<1.82.8
• Actively seeking LiteLLM alternatives

---

We are safe - currently on 1.82.6. I've done a full scan of all my packages and repositories, and nothing on my system is using 1.82.8. I've pinned all repositories and am immediately seeking alternatives to LiteLLM. I don't use Discord a ton, but I see all notifications on my server - if you have any suggestions or want to discuss, feel free to reach out there.

[SerJaimeLannister]

Its worth mentioning that 1.82.7 is unsafe as well so perhaps changing it to <1.82.7 might make sense

1.82.7 has some malicious script in llm_proxy which runs when that code is ran whereas 1.82.8 has the malicious code within installing the pypi itself

hope this helps

[starbaser]

Its worth mentioning that 1.82.7 is unsafe as well so perhaps changing it to <1.82.7 might make sense

1.82.7 has some malicious script in llm_proxy which runs when that code is ran whereas 1.82.8 has the malicious code within installing the pypi itself

hope this helps

Pinned to <=1.82.6. Thanks!