Back to Blog

AI Stacks Have a Backdoor Problem: The Open Source Supply Chain Crisis of 2026

AICyber Security

March 2026 should have been a wake-up call for every team shipping AI in production. In the span of twelve days, a threat group executed five coordinated supply chain attacks against some of the most trusted names in open source infrastructure — Trivy, KICS, Checkmarx, Axios, and LiteLLM. That last one hit AI deployments where it hurts.

The LiteLLM Attack: A Cascade, Not a Fluke

LiteLLM is the open source Python gateway that routes requests between your application and LLM providers — OpenAI, Anthropic, Gemini, and dozens more. It’s downloaded roughly 3.4 million times a day and has direct dependencies from frameworks like CrewAI, DSPy, Mem0, and Instructor. The group published poisoned versions 1.82.7 and 1.82.8 to PyPI on March 24, they weren’t going after a single app — they were going after the entire AI development ecosystem that routes through LiteLLM.

The attack vector was elegant and alarming: They first compromised Trivy, the popular open source vulnerability scanner. Trivy was used inside LiteLLM’s own CI/CD pipeline. The poisoned Trivy build stole the LiteLLM maintainer’s PyPI credentials. The malicious package — containing a .pth file that executes on every Python startup — was live for roughly 40 minutes before PyPI quarantined it. That’s 40 minutes against 95 million monthly downloads.

Why AI Apps Are the Prize

Generic supply chain attacks harvest credentials opportunistically. An attack on an AI gateway is more targeted: LiteLLM-consuming environments almost always hold API keys for OpenAI, Anthropic, or cloud providers — exactly the credentials that unlock real spending and data access. The blast radius isn’t just compromised servers. It’s exfiltrated model API keys, cloud admin access, and the ability to silently proxy or log every LLM call your application makes.

This dynamic is only getting worse. Research on 10,000 open source ML repositories found 70% have critical or high-severity vulnerabilities in their GitHub Actions workflows. Separately, attackers are now exploiting a practice called “slop-squatting” — publishing malicious packages under names that LLMs commonly hallucinate, so teams that trust AI-generated dependency lists are directly targeted.

What Actually Protects You

The LiteLLM incident had a clear dividing line: repos using poetry.lock or uv.lock were immune. Pinned lockfiles meant pip install pulled the exact safe version regardless of what was live on PyPI during the attack window. Repos using loose version ranges like litellm>=1.79.2 were exposed.

A few practices that compound on top of lockfile discipline:

  • Pin GitHub Actions by SHA hash, not tag — uses: action@sha256:abc123 instead of uses: action@v2. Tags are mutable; hashes aren’t.
  • Scope API key permissions in CI/CD workflows. Keys defined at the workflow level are available to every step, including malicious ones injected via a compromised dependency.
  • Run dependency audits in CI with tools like pip-audit or socket.dev. Catching a known-bad package before it hits production is orders of magnitude cheaper than rotating every credential in your stack post-incident.
  • Monitor for unexpected outbound connections from your AI runtime. The LiteLLM payload phoned home silently — egress monitoring would have caught it.

The Bigger Pattern to Watch

The twelve-day campaign was methodical: each compromise was a stepping stone to the next target. Trivy → LiteLLM credentials → your AI app’s production keys. The open source trust model that makes fast AI development possible is also its greatest vulnerability. The teams that get through the next wave of these attacks will be the ones who treat their dependency graph as an attack surface, not an afterthought.

Pin your versions. Audit your CI. Rotate your keys if you ran an affected package. The fundamentals haven’t changed — they’ve just become existential.

Further Reading

The Record: Supply chain attack hits widely-used AI package

Kaspersky: Trojanization of Trivy, Checkmarx, and LiteLLM

Snyk: How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM

HeroDevs: The LiteLLM Supply Chain Attack — What Happened and What to Do

DreamFactory: Five Supply Chain Attacks in Twelve Days

AI Disclosure

This document is drafted by an AI skill and is provided for informational and governance support purposes only. It does not constitute legal advice or a formal compliance determination. Do not publish or rely on this notice as a substitute for review by qualified legal counsel or a licensed compliance professional with jurisdiction-specific expertise.