FutureSearch

Callum's minute-by-minute transcript of discovering the LiteLLM supply chain attack is on the front page of Hacker News. The entire attack was caught because of a single missing flag (-S) in the malware's subprocess call. Claude Code session ⬇️

@james_droog @hnykda @github E) All of the Above

@hnykda @FUTURESEARCHAI @github Futu Research AI Future Search AI Futures Ear Chai Future Sear Chai Which is it?

So let me get this straight: we at @FUTURESEARCHAI discover the litellm supply chain attack, report it to PyPI, open the disclosure issue on GitHub, and... @github bans my account? What the hell!?

He published a minute-to-minute account of how it went down and how he and Claude figured this out (with Claude first blaming itself for the issue) futuresearch.ai/blog/litellm-a…

I think a lot of people got very lucky that the litellm attackers accidentally incorporated a fork bomb in their attack and that Callum was so prescient to check htop and take a picture when it happened.

@TheHackersNews One of our engineers was credited by PyPI for first reporting the attack. We wrote up more details: futuresearch.ai/blog/no-prompt…

🛑 Malicious LiteLLM versions 1.82.7–1.82.8 deploy credential theft, Kubernetes lateral movement, and a persistent backdoor. Linked to the Trivy CI/CD compromise, the payload runs on import or via .pth at Python startup, spreads across nodes, and installs a systemd service. 🔗 Full story → thehackernews.com/2026/03/teampc…

@pvergadia Daniel is our VP of Eng! The malware triggered for one of our developers within a plugin he was developing for Cursor, and the Mac system notifications sent big warnings about network access. Small follow-up here futuresearch.ai/blog/no-prompt…

BREAKING: We gave AI agents keys to everything. Then we forgot to lock the door behind us. LiteLLM v1.82.8 stole credentials from thousands of AI apps. Silently. Automatically. While the agent kept running. This is the threat model nobody wants to talk about: → Agents are trusted by design, that's the whole point → They hold OAuth tokens, API keys, cloud credentials, DB passwords → They run 24/7 with no human watching → Their dependencies update automatically → And they have permission to take actions in the real world A human getting phished loses their credentials. An agent getting compromised loses its credentials and keeps acting on your behalf. The surface area of an AI agent isn't the model. It's every package, every tool call, every MCP server, every dependency it touches. Security was an afterthought. Agents are shipping to production now. We haven't solved human-scale identity theft. We just gave attackers an automated, always-on, fully-credentialed version of your employees to compromise instead. The LiteLLM attack is a warning shot.

Our colleague @@Callum_McMahon_ was testing a Cursor MCP plugin that pulled in litellm as a transitive dependency. His 48GB Mac Pro ground to a halt. The cause: a base64-encoded payload hidden in litellm 1.82.8 that exfiltrates every credential it can find.futuresearch.ai/blog/no-prompt…

@elonmusk We at futuresearch were the ones reporting this yesterday, this was a big one, we checked the numbers and there were 47k downloads in 46 minutes while the package was up: futuresearch.ai/blog/litellm-h…

@helpnetsecurity @sonatype @AikidoSecurity @AquaSecTeam @Checkmarx @wiz_io @pypi Great piece! Callum is one of our engineers (PyPI credited him for first reporting the attack). He wrote up a post-mortem of how things played out: futuresearch.ai/blog/no-prompt…

LiteLLM PyPI packages compromised in expanding TeamPCP supply chain attacks - helpnetsecurity.com/2026/03/25/tea… - @FUTURESEARCHAI @sonatype @AikidoSecurity @AquaSecTeam @Checkmarx @wiz_io @pypi #Malware #OpenSource #SupplyChainCompromise #Cybersecurity #CybersecurityNews

@awagents One of our engineers was credited by PyPI for first reporting the supply chain attack on LiteLLM. Happy to connect if you're doing additional coverage! hello@futuresearch.ai

LiteLLM Compromised: Credential Stealer in PyPI Package #Security #SupplyChain

@fahdmirza One of our engineers was credited by PyPI for reporting the attack. Happy to connect if you're doing further coverage of this story: hello@futuresearch.ai

⚠️ LiteLLM Has Been COMPROMISED 🚨 ♠ And it could have silently stolen everything on your machine 😱 🔹 97 million monthly downloads — one poisoned package 🔹 Steals SSH keys, AWS/GCP/Azure creds, API keys, crypto wallets & more 🔹 Runs automatically — no import needed, triggers on every Python startup 🔹 Spreads through transitive deps — DSPy, MCP plugins & more all affected 🔹 Only discovered because the malware had a bug — otherwise undetected for weeks 🔥 Watch the full breakdown + remediation steps below 👇

@ReversingLabs One of our engineers - Callum - was credited with first reporting this to PyPI! Reach out if you're doing further coverage - hello@futuresearch.ai

What started as a compromise of Checkmarx Open VSX plugins on npm has now spread to PyPI and is targeting LiteLLM. See RL's full post on the evolution to the TeamPCP supply chain attack 👉reversinglabs.com/blog/teampcp-s…

👁️ Be on the look out for compromised versions 1.82.7 and 1.82.8 of the "litellm" PyPI package, which has more than 479 million downloads 🧵👇 secure.software/pypi/packages/…

@ramimacisabird Read the Wiz piece! One of our engineers was credited by PyPI for reporting the attack. Happy to connect and provide details for any further coverage if useful: hello@futuresearch.ai

TeamPCP got an infostealer into LiteLLM 1.82.7, 1.82.8litellm c2 is models[.]litellm.[]cloud Act fast. github.com/BerriAI/litell…

My awesome colleague Callum McMahon, who discovered this, wrote an explainer and postmortem going into greater detail: futuresearch.ai/blog/no-prompt…

Oh, it just got worse. The [public github issue](github.com/BerriAI/litell…) has been closed as "not planned" by the owner, so they likely have been fully compromised.

LiteLLM HAS BEEN COMPROMISED, DO NOT UPDATE. We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate. link below

I updated our play money AI Kalshi trader. Summary: Feb 26: $100,000 Mar 5 after selling: $101, 044 Mar 13 after selling: $102,122 Mar 13 after buying: $101,486 For updates we: 1) Forecast. 2) Handle market resolutions. 3) Sell over-priced positions. 4) Set target buy positions. 5) Buy using the order book. This past week saw: - 7 resolutions (we had 3 winners, 4 losers) - 4 sales - 19 buys - Ending cash $24k

How predictable are the Oscars? We researched 5,298 award winners spanning 26 years of ceremony data (2000–2025) and 15 different awards leading up to the Oscars.