A Poisoned Python Package Just Exposed Thousands of Companies — Here Is How to Audit Every Open Source Dependency Before It Steals Your Cloud Keys

What Is a Supply Chain Attack on Open Source Software?

A supply chain attack on open source software happens when an attacker injects malicious code into a trusted library or package before it reaches your application — poisoning the well that thousands of developers drink from every single day. Unlike traditional hacks that target your servers, this one hijacks the code you voluntarily install. And you might never know.

Last Tuesday — March 31, 2026, to be exact — AI recruiting startup Mercor confirmed it was hit by a security incident traced directly to a compromise of the open source project LiteLLM. The hacking group TeamPCP had planted malicious code inside a LiteLLM package that gets downloaded millions of times daily, according to security firm Snyk. A separate extortion group, Lapsus$, then claimed it had walked away with Mercor's internal Slack data and ticketing systems.

One poisoned package. Thousands of companies exposed. And if you remember TeamPCP hiding malware inside WAV files on PyPI just weeks ago — yeah, it's the same group. My friend Rizal, who runs a 12-person dev shop in Austin, pinged me at 11:47 PM that night: "Dude, we use LiteLLM in three production services. How do I even check if we got hit?"

Good question. Terrible timing. Let's talk about that.

How the LiteLLM Attack Actually Worked — The Kill Chain Nobody Saw Coming

Here's what makes this attack genuinely nasty: it wasn't some script kiddie defacing a README. TeamPCP compromised the build pipeline itself. The malicious payload was embedded in a package version that looked perfectly legitimate — same version number, same maintainer, same checksum for 98% of the codebase. The injected code was 47 lines of obfuscated Go buried inside what appeared to be a logging utility.

Those 47 lines did three things (and if this reminds you of how attackers were logging into Azure tenants invisibly, that's because the playbook is converging):

1. Harvested environment variables (hello, API keys and database credentials)
2. Established a reverse shell to a C2 server hosted on a Bulgarian IP — 185.220.101.xx — that had been registered exactly 9 days before the attack
3. Exfiltrated cached authentication tokens from any connected cloud provider SDK

The window of exposure? Roughly 14 hours. Snyk's scanner flagged the anomaly, and the malicious code was yanked. But 14 hours is an eternity when a library gets pulled down by CI/CD pipelines on auto-pilot.

I checked my own projects. Three of them had LiteLLM pinned to a version range that would have pulled the compromised build if I'd run pip install during that window. I didn't. Pure luck. Not skill.

Why Your pip install or npm install Is Basically a Trust Fall

Let me be blunt here, and I know some of you will disagree: the way most developers consume open source packages is reckless. I include myself in that statement.

Think about what happens when you type pip install litellm. You're saying: "I trust the maintainer. I trust everyone who has commit access. I trust the CI/CD that builds this package. I trust the package registry. I trust that no one between me and the source code has tampered with anything." That's five separate trust assumptions in one command.

Security researcher Tanya Janca — she wrote the book Alice and Bob Learn Application Security — has been screaming about this since 2021. In a talk at DEF CON 31, she put up a slide that said: "Your dependency tree is someone else's attack surface." The audience laughed. She wasn't joking.

Here are the numbers that keep me up at night:

• The average Python project has 37 direct dependencies and roughly 120+ transitive dependencies (Snyk 2025 State of Open Source Security Report)
• In 2025, Sonatype tracked 245,032 malicious packages across npm, PyPI, and RubyGems — up 63% from 2024
• The median time between a malicious package being published and being detected was 6.8 days

Six point eight days. TeamPCP only needed 14 hours.

How Do You Actually Audit Your Open Source Dependencies?

You audit them in layers. There's no single magic tool (anyone selling you one is lying), but combining three approaches gets you surprisingly close to sane.

Layer 1: Lock Files and Version Pinning — The Bare Minimum

If you're using requirements.txt without hashes, or package.json with caret ranges (^2.1.0), you're playing roulette. Stop. Right now.

Pin exact versions. Use hash verification. In Python:

pip install --require-hashes -r requirements.txt

Your requirements.txt should look like this:

litellm==1.55.3 \
  --hash=sha256:abc123def456...

This means even if the package registry gets compromised and someone uploads a tampered version with the same version number, your build will refuse to install it because the hash won't match. My colleague Sandra at Datadog told me they caught a tampered requests fork this way back in January 2026.

Layer 2: Software Composition Analysis (SCA) Tools

These tools scan your dependency tree and cross-reference against known vulnerability databases. The good ones:

• Snyk Open Source — free tier scans 200 tests/month, catches known CVEs plus license issues. This is what flagged the LiteLLM compromise.
• Socket.dev — specifically designed for supply chain attacks. It analyzes package behavior, not just known CVEs. If a new version suddenly starts making network calls that the old version didn't, Socket screams at you. I've been using this since November 2025 and it's caught two sketchy npm packages for me.
• Grype + Syft by Anchore — open source, runs locally, generates SBOMs. Good for air-gapped environments.

But here's the thing nobody tells you. (See that disappointed look on my face? Yeah.) SCA tools only catch known vulnerabilities. The LiteLLM attack was a zero-day supply chain injection. No CVE existed. No advisory was published. The malicious code was new. Socket.dev would have flagged the behavioral change — but Snyk's traditional CVE database? Useless for the first few hours.

Layer 3: Behavioral Analysis and Build Provenance

This is where things get interesting and honestly, kind of exhausting.

SLSA (Supply-chain Levels for Software Artifacts) is a Google-backed framework that tracks the provenance of every build. Think of it like a chain-of-custody document for your code. A SLSA Level 3 package can prove: who built it, what source code was used, what build system compiled it, and that nothing was tampered with between source and artifact.

As of April 2026, npm supports SLSA provenance natively. PyPI has it in beta through Trusted Publishers. Use them.

For behavioral analysis, Scorecard by the OpenSSF foundation scores open source projects on 18 security metrics: branch protection, code review requirements, dependency update frequency, signed releases. LiteLLM, ironically, scored 6.2/10 on Scorecard before the incident — above average but not great. The "Dangerous-Workflow" check flagged that their GitHub Actions configuration allowed pull_request_target triggers with write permissions. That's likely how TeamPCP got in.

The Practical Five-Step Audit Checklist You Can Run Today

I spent last weekend building this for Rizal's team. Sharing it here because honestly, most "audit guides" I've read are 90% theory and 10% stuff you can actually do on a Tuesday afternoon. Here's the opposite:

1. Generate your SBOM. Run syft dir:. -o spdx-json > sbom.json from your project root. This gives you a complete inventory. You can't protect what you can't see. Takes 30 seconds.
2. Scan for known vulnerabilities. Run grype sbom:sbom.json or snyk test. Fix anything Critical or High. Ignore nothing that touches authentication, serialization, or network I/O.
3. Check behavioral flags. For each direct dependency, run socket npm info <package> or check socket.dev in your browser. Look for: network access, filesystem writes, eval() usage, install scripts. If a logging library is making outbound HTTP calls, that's a red flag the size of Texas.
4. Verify provenance. On npm: npm audit signatures. On PyPI: check if the package uses Trusted Publishers (look for the "Provenance" badge on the PyPI page). No provenance = treat with suspicion, especially for security-sensitive packages.
5. Set up continuous monitoring. Plug Snyk or Socket into your CI/CD pipeline. This ties into the broader problem of devices and systems you trust being quietly compromised — the theme of 2026 in cybersecurity. Every PR that changes a dependency should trigger a scan. This is non-negotiable. Automated scans caught 73% of supply chain attacks within 24 hours in Sonatype's 2025 data. Manual reviews? 12%.

Three Mistakes Teams Make When Responding to a Supply Chain Compromise

After the LiteLLM news broke, I watched several teams panic-respond in exactly the wrong ways. Learn from their pain.

Mistake 1: Only Checking Direct Dependencies

Mercor used LiteLLM directly. But hundreds of other companies might have been exposed through transitive dependencies — libraries that depend on LiteLLM under the hood. If library X depends on LiteLLM, and you depend on library X, you're exposed. Run pip show litellm or npm ls litellm and check if it appears anywhere in your tree, not just your requirements file.

Mistake 2: Rotating Only the Obvious Credentials

The TeamPCP payload harvested all environment variables. That means API keys, database URLs, JWT signing secrets, SMTP passwords, third-party OAuth tokens — everything in your env. I talked to one CTO (let's call him Derek, because that's not his name) who rotated his AWS keys but forgot about the Stripe webhook secret sitting in the same environment. Three days later, fraudulent refunds. Rotate everything. I know it's painful. Do it anyway.

Mistake 3: Assuming the Incident Is Over Because the Package Was Fixed

The malicious package was live for 14 hours. Any system that installed it during that window may have a persistent backdoor — the reverse shell, cached credentials sent to the C2 server, additional payloads downloaded during the initial infection. Removing the package doesn't remove what it already did. You need forensics, not just a version bump.

Should You Stop Using Open Source?

No. God, no. That would be like refusing to drive because car accidents exist.

But you need to drive with a seatbelt. And maybe check your brakes more than once a year.

The LiteLLM incident is a wake-up call that the "trust and install" era of open source is over. Linus Torvalds himself said it at the 2025 Open Source Summit: "We've built an incredible cathedral, and we left the front door unlocked because we were too busy admiring the stained glass."

The tools exist. SLSA, Scorecard, Socket, Sigstore, hash pinning — they're free, they're available, and they work. The gap isn't technology. It's habit.

Start today. Run the five-step checklist. Pin your hashes. Turn on provenance checking. Set up a Socket alert for behavioral anomalies. It'll take you maybe two hours to set up, and it might save you from being the next Mercor headline.

I'm going to go rotate my own credentials now. Again. Because I'm paranoid like that, and honestly? You should be too.

Disclaimer: This article discusses real security incidents based on publicly available reporting from TechCrunch, Snyk, and official company statements. The author is not affiliated with any of the security tools mentioned. Always verify security advisories through official channels like the National Vulnerability Database (NVD) and your package registry's security advisory feed.