[Security]: Supply Chain Incident — Friday Townhall

[mubashir1osmani]

Following the security incident, we'd like to hear from you

We know this has been a stressful situation for many of you, and we're sorry for the disruption this may have caused. If you haven't seen our full update, you can read it here: https://docs.litellm.ai/blog/security-update-march-2026

We want to make sure you have a space to ask questions, share concerns, and hear directly from us on where things stand. With that in mind, would a Friday townhall be helpful? If so, let us know what times work for you and what you'd want to cover.

[henk717]

I'd just like official confirmation that the dockers are completely safe, I know they were not compromised. But have the credentials of your own docker repo been sufficiently replaced to where there can be no further surprises?

[krrish-berri-2]

Our manual verification shows no indicators of compromise. We're working on improvements here like signing the release, to prevent future tampering.

[kenneives]

One takeaway from this: the AI tooling ecosystem needs better pre-integration trust checks. Package signing and 2FA on maintainer accounts help, but they only cover the publisher side. There's no standard way for a consumer to check "has this tool been independently scanned for security issues?"

We've been building AgentGraph for this — automated security scanning of agent/tool repos that checks for hardcoded secrets, unsafe exec patterns, data exfiltration, and dependency vulnerabilities. Every scanned project gets a trust score (0-100) and verified identity.

Would be interested in what signals the LiteLLM community would find most useful in a trust score. The obvious ones (CVE count, dependency freshness, maintainer verification) are easy. The harder question is how to weight supply chain depth — a project with 200 transitive deps has a very different risk profile from one with 5.

Open source: github.com/agentgraph-co/agentgraph

[jagmarques]

One concrete takeaway from this incident that applies broadly: the dependency tree for LLM proxy infrastructure is a single point of compromise for every downstream agent. A supply chain attack on the routing layer gives the attacker access to every API key, every prompt, and every response flowing through it.

For teams running LiteLLM in production, two things worth doing now regardless of this specific incident: (1) rotate all API keys that were configured in your LiteLLM proxy config, even if you believe you were not affected, and (2) set up independent logging of all LLM calls at a layer outside LiteLLM so you have a second source of truth if the proxy itself is compromised.

The broader question about pre-integration trust checks is important. Package signing helps but the real gap is runtime integrity - knowing that the code running in your container right now matches what you audited.