Python Supply-Chain Compromise

A malicious supply-chain compromise was identified in the PyPI package litellm v1.82.8: the published wheel includes a malicious .pth file (litellm_init.pth, 34,628 bytes) that the Python interpreter executes automatically on startup, enabling code execution without importing the module. The report calls for stronger supply-chain protections (SBOMs, SLSA, SigStore) to help secure critical libraries.