DocsQuick StartAI News
AI NewsLiteLLM and Axios hit by supply chain poisoning, AI ecosystem on alert
Industry News

LiteLLM and Axios hit by supply chain poisoning, AI ecosystem on alert

2026-04-10
LiteLLM and Axios hit by supply chain poisoning, AI ecosystem on alert

The National Cybersecurity Notification Center reported today that three major development tools—LiteLLM, Axios, and Apifox—have successively suffered supply chain poisoning attacks. The malicious code can steal credentials and perform lateral movement, affecting numerous AI applications and downstream developers.

LiteLLM was poisoned. Axios didn’t escape either. Just today (April 10), China’s National Cybersecurity Notification Center officially released a bulletin naming three supply chain poisoning incidents: the open-source AI API gateway LiteLLM, the JavaScript HTTP library Axios, and the API collaboration platform Apifox—all compromised within days of each other.

This isn’t a minor issue affecting some obscure library. LiteLLM is currently one of the most popular multi-model proxy gateways, widely used by companies to unify API calls to GPT, Claude, Gemini, and other models. Axios needs no introduction—it gets over 100 million weekly downloads on npm, serving as the “water and electricity” of the frontend and Node.js ecosystems. These two libraries being poisoned means someone has tampered with the foundation of the AI development ecosystem.

What Happened

Let’s start with LiteLLM. On March 24, ThreatBook Threat Intelligence Bureau first detected anomalies: LiteLLM versions 1.82.7 and 1.82.8 on the PyPI repository contained injected backdoor code. The attacker’s method was subtle yet sophisticated—the malicious code was silently triggered during the normal pip install process, without requiring any user action. Once installed, the backdoor stole API keys, cloud credentials, and other sensitive information from the environment, then attempted lateral movement across machines in the same network.

The good news: PyPI removed the malicious versions within 46 minutes.
The bad news: for a popular package, 46 minutes is long enough to cause widespread infection. LiteLLM’s user base is highly concentrated—AI engineers, backend developers, and MLOps teams—whose machines typically store all kinds of model API keys, cloud access keys, even database credentials. The attacker targeted “high-value victims” with precision.

Timeline of the LiteLLM poisoning incident, showing the 46-minute window between malicious release and takedown

Now, Axios. The attack path was even nastier—the hacker directly hijacked the npm account of a core Axios maintainer and published two malicious versions: 1.14.1 and 0.30.4. Note the choice of those version numbers: 1.14.1 followed immediately after the latest stable release at the time, while 0.30.4 targeted projects still pinned to older major versions. Whether you were an “always-upgrade” person or a “strict version lock” person, you could fall into the trap.

The malicious versions contained a cross-platform trojan that affected Windows, macOS, and Linux. Even more concerning, analysis from the National Cybersecurity Notification Center revealed that many AI applications and plugin ecosystems—including OpenClaw—directly depended on Axios. The risk propagated through dependency chains, eventually reaching end users.

One chilling detail: security researchers found that in this Axios incident, the attacker likely used AI-assisted social engineering techniques to gain access to the maintainer’s account. Using AI to attack the AI ecosystem—an ironic “stacked doll” indeed.

Why Supply Chain Poisoning Is Becoming More Dangerous

Supply chain poisoning isn’t new. But this recent wave of incidents has several distinct features every developer must take seriously.

First: Attack targets are moving upstream. Traditional poisoning targeted end users; now attackers directly hit developers and DevOps personnel. The logic is simple: an average user’s computer might hold a few passwords, but an AI engineer’s .env file might contain API credits worth tens of thousands of dollars, production database credentials, or cloud root keys. Poisoning one developer can open a door into an entire enterprise network.

Second: The attack surface is expanding. Modern software dependencies form a massive tree. Your project might depend on 20 direct packages, but each of those depends on dozens more, resulting in thousands of packages in your node_modules. If even one node is compromised, the entire tree is contaminated. Axios is a prime example—an HTTP client library so fundamental and ubiquitous that nearly all AI apps use it both frontend and backend. Compromise Axios, and it’s like poisoning the entire ecosystem’s water supply.

Third: Detection is getting harder. All three incidents used obfuscation, self-deletion, and anti-debugging techniques. LiteLLM’s backdoor automatically cleaned up traces after stealing data; Axios’s trojan used stealthy communication mechanisms that traditional security tools could barely detect. Antivirus software and firewalls are largely blind to such attacks.

Practical Impact on AI Developers

Let’s talk specifics. If you’re an AI developer, check the following scenarios immediately:

Scenario 1: You use LiteLLM as a model gateway

LiteLLM is widely adopted in AI development. Its main value is providing a unified interface to call models from multiple providers—OpenAI, Anthropic, Google, DeepSeek—with a single codebase. Many teams use it to deploy internal model proxy services, some even in production environments.

If you installed or upgraded LiteLLM around March 24 using pip install litellm or pip install --upgrade litellm, check your version:

pip show litellm | grep Version

If the version is 1.82.7 or 1.82.8, you must:

  1. Immediately roll back to 1.82.6 or earlier stable versions.
  2. Rotate all API keys and credentials stored in that environment.
  3. Review network logs on that machine for suspicious outbound connections.
# Roll back to a safe version
pip install litellm==1.82.6

# Check for leftover malicious files
find $(python -c "import litellm; print(litellm.__path__[0])") -name "*.pyc" -newer /tmp/marker -exec ls -la {} \;

On a related note: self-hosting LiteLLM gateways already involves nontrivial operational and security costs—this incident magnifies those. If your main goal is unified model API access, managed aggregation services such as OpenAI Hub can eliminate the burden of maintaining your own gateway—one key to call all major models, OpenAI-compatible format, direct access from China—at least without worrying your gateway component might be compromised. Of course, the best choice depends on your safety and control requirements.

Scenario 2: Your project depends on Axios

Check your package.json and package-lock.json:

npm ls axios

If your locked version is 1.14.1 or 0.30.4, downgrade immediately:

npm install axios@1.14.0

Indirect dependencies can be trickier. You may not have installed Axios directly, but an AI SDK or utility library you use might depend on it. Check your full dependency tree:

npm ls axios --all

Scenario 3: You use Apifox for API debugging

The public SaaS version of the Apifox desktop client is also included in this bulletin. If you’ve used Apifox to test API requests containing API keys (honestly, who hasn’t?), rotate those credentials as well.

Deeper Issues

This incident exposes not just security issues with three libraries—but the fragility of the entire open-source supply chain trust model.

Ask yourself: when you run pip install, what are you trusting? The package name? The version number? The PyPI platform? The maintainer’s account security?

In truth, you’re trusting a long chain, and any link can break. LiteLLM’s case was an upstream dependency poisoning; Axios’s was an account hijacking; Apifox’s was a release channel tampering. Three different attack surfaces, three different breakpoints—same end result.

For AI in particular, this is critical for three reasons:

  1. AI projects have extremely long dependency chains. A typical LLM app—from model API calls to vector databases, web frameworks, and UI—might rely on hundreds of packages. The attack surface is enormous.

  2. AI developers hold especially valuable “keys.” Model API keys are billed per token—if stolen, that’s real money lost. Add in sensitive training data, user conversations, etc.—the stakes skyrocket.

  3. AI ecosystems evolve too fast for security awareness to keep up. Teams constantly upgrade dependencies for new models and frameworks, often blindly running pip install --upgrade. In the face of supply chain poisoning, this habit is like running naked.

What You Should Do Now

The National Cybersecurity Notification Center provided mitigation advice. Here’s how developers can apply it directly:

Pin dependency versions; avoid range-based matches.
In package.json, change ^1.14.0 to 1.14.0;
in requirements.txt, change litellm>=1.82 to litellm==1.82.6.
Yes, it makes upgrades slower—but at least you won’t unknowingly pull in malicious versions.

Enable package verification. npm supports --integrity checks, pip supports --require-hashes. Use them:

# pip hash verification
pip install litellm==1.82.6 --require-hashes --hash=sha256:<official_hash>

# npm’s package-lock.json already includes `integrity`; commit it to version control

Isolate development environments.
Use separate virtual environments or containers per project—don’t install directly on your host machine. If malicious code can only run inside an isolated container, damage is contained.

Never hardcode credentials or store them in .env files.
Use Vault, AWS Secrets Manager, or at least environment variables. .env files are easy prey for malicious code.

Monitor security bulletins.
Subscribe to the security notices of critical dependencies. Both PyPI and npm have notification channels; GitHub’s Dependabot can automatically detect known vulnerabilities.

Audit dependencies regularly.
Use tools like npm audit, pip-audit, or Snyk to scan your dependencies:

# npm audit
npm audit

# pip audit (requires pip-audit)
pip install pip-audit
pip-audit

Final Thoughts

Supply chain poisoning is shifting from a “rare event” to a “persistent threat.”
In just the past two weeks, Deep Safe’s Tianlimu Threat Intelligence Center detected three major incidents—an unprecedented frequency.

For AI developers, this is a reality check: your code might be clean, but your dependencies could have backdoors. In a culture of “fast iteration” and “embracing open source,” security is often the first thing sacrificed.

This bulletin is a wake-up call.
Supply chain security is no longer just the security team’s job—it’s the responsibility of every developer who runs an install command.


References:

Related Articles

View All

Contact Us

We usually reply quickly during business hours

Scan WeChat

Support: Hub Assistant

WeChat ID: