Hackers sneak crypto wallet-stealing code into a popular AI tool that runs every time

Hackers successfully infiltrated a popular AI tool called LiteLLM on March 24, injecting malicious code that automatically stole cryptocurrency wallets and sensitive credentials. The attack occurred between 10:39 UTC and 16:00 UTC when an attacker gained access to a maintainer account and published two compromised versions of the Python package. The malicious code activated every time Python started, systematically searching for crypto wallets, Solana validator materials, and cloud credentials on infected systems.

LiteLLM is a widely-used Python library that helps developers integrate various large language models into their applications. The supply chain attack exploited the trust developers place in legitimate software repositories, turning routine package installations into security breaches. By compromising a maintainer account, the attackers could distribute their malicious payload through official channels, making detection significantly more difficult for users who assumed they were downloading legitimate software.

This incident highlights the growing vulnerability of the cryptocurrency ecosystem to supply chain attacks targeting development tools. As AI integration becomes increasingly common in crypto projects, the intersection of these technologies creates new attack vectors that threat actors are actively exploiting. The breach demonstrates how attackers are evolving their techniques to target the infrastructure that developers rely on, rather than directly attacking end users or exchanges.

The crypto development community will likely scrutinize package management security more closely following this breach, potentially leading to enhanced verification processes for popular libraries.

Source: CryptoSlate

Read original article ↗